I assume you refer to the access token, not ID token, otherwise please clarify?
You can add it via custom claim in a rule.
context.accessToken['https://any-namespace/email'] = user.email;
Note that this namespace url is necessary, but can be any url, doesn’t even have to exist; see documentation linked above for details.
In the ID token on the other hand, it’s automatically in there as
email root claim, if you request for the
email scope in the authorization request (default is usually:
openid profile email)
Do I have any option for solving this? I really need to check the email of the user from the JWT, so I can be sure I can trust the request.
Note that you should also check that the email is verified (via
email_verified claim), otherwise anybody could just signup with any random email address.
However, I don’t fully understand what you mean with “trust the request”. In which way trusting it? The access token is cryptographically signed by the authorization server / Auth0. How exactly do you verify the request in the Lambda function based on request info and JWT?