Re-visiting this as we comb through our backlog and hope this helps someone in the future 
There are a couple of ways you can go about this - You could simply create an Action to “allow list” specific emails:
exports.onExecutePostLogin = async (event, api) => {
// Define your allowlist of emails
const allowlist = [
'alloweduser1@example.com',
'alloweduser2@example.com',
'alloweduser3@example.com'
];
// Check if the user's email is in the allowlist
if (!allowlist.includes(event.user.email)) {
// If the email is not in the allowlist, deny access
api.access.deny('Access denied: Your email is not in the allowlist.');
}
};
The 2nd and more scaleable approach is to implement Role Based Access Control - At a high level this includes assigning roles (and subsequently API permissions) to users. In your registered API settings, you will want to enable RBAC and most likely the option to include permissions in access tokens. When a user logs in they will receive an access token, and if permissions are included in the token these are what your API, after verifying the access token, will use to make authorization decisions. Alternatively or in addition to permissions, you can add roles to your user’s access tokens as well using a Post Login Action:
exports.onExecutePostLogin = async (event, api) => {
// Get the user's roles from the event object
const roles = event.authorization.roles;
// Add the roles to the access token as a custom claim
api.accessToken.setCustomClaim('https://your-domain.com/roles', roles);
};