When using `@auth0/auth0-vue`, should I also setup `express-openid-connect` on the backend?

I am creating a Vue SPA, and have added @auth0/auth0-vue.
My question is, should I also add auth0 on the backend server?
My understanding here is limited, so I may be missing out on a more fundamental piece of info.

Do I need auth0 on both sides?
If not, is it secure to pass the user_id (sub) in the body of a request to the backend?

Any help would really be appreciated.

You need to send the JWT token given to you by auth0-vue on the Authorization header and validate it with express-oauth2-jwt-bearer, otherwise anyone could communicate with your backend regardless of being logged in or not.

See: Auth0 Node (Express) API SDK Quickstarts: Authorization

1 Like

Thank you. Does that require setting up an auth0 machine-to-machine API, or can it be done without that?

No, a machine to machine client is used when you want one backend to communicate with another backend, not a client to an API. See the tutorial linked.