I'm using the token inline hook and it's working very well. According to the documentation, the default timeout for the hook endpoint is 3 seconds at which point the request is abandoned and the access token is issued without any custom claims.

This creates a scenario where the user essentially has no permissions on our website until they log out and log back in again. Obviously this is an edge case, but is there any way to configure Okta to not authenticate the user if the token inline hook call times out?

Also, along these lines, how can I change the default timeout? Normally our API issues a response in < 200 ms but occasionally there are hiccups and I'd hate for users to be issued a token that restricts their ability to use the web site.