I am creating a Vue SPA, and have added @auth0/auth0-vue.
My question is, should I also add auth0 on the backend server?
My understanding here is limited, so I may be missing out on a more fundamental piece of info.
Do I need auth0 on both sides?
If not, is it secure to pass the user_id (sub) in the body of a request to the backend?
You need to send the JWT token given to you by auth0-vue on the Authorization header and validate it with express-oauth2-jwt-bearer, otherwise anyone could communicate with your backend regardless of being logged in or not.
No, a machine to machine client is used when you want one backend to communicate with another backend, not a client to an API. See the tutorial linked.