Thannks @dan.woda!
This partially answers my question.
Let me be a little bit more clear, in my Auth0 Management Api dashboard there are client grant permissions you can set, ie read:users, update:users etc. I ONLY want the user in my application to be able to update THEIR own data, which i would expect a client_grant of update:current_user but i do not.
To guard against having users able to update other users by giving them blanket access to read:users or update:users, does auth0 support a current_user functionality.
Also, tangentially related SPA + Rails API passing auth0_id from front end to back - Best Practice
thank you