This is a question to better understand how to authenticate users using our own API (not OAuth).
I am going to have an API built that will verify that an email address should or should not be granted access to a Roku channel.
I think this is the correct way to do this, creating an endpoint that the Roku channel will hit to verify the email address that comes from our company systems.
How do I insure that someone else (who isn't a member in our database) doesn't use an actual member's email address to gain access to our Roku channel?
Have you look at the on-device authentication documentation and sample channel. These explain and demonstrate how to check whether a customer should be granted access to a channel's content.