[Authenticate] don't work at service level

When I put the [Authenticate] attribute at class level, it seems that I can call all the methods inside even if i’m not authentified.

// My service
public class ExerciceService : ServiceStack.Service
    public void Delete(DeleteExercice request)

// My AppHost Configure()
var dbFactory = container.Resolve<IDbConnectionFactory>();
container.Register<IAuthRepository>(c => new OrmLiteAuthRepository(dbFactory));

Plugins.Add(new AuthFeature(() => new AuthUserSession(),
    new IAuthProvider[] {
        new CredentialsAuthProvider(AppSettings)

But if I move the [Authenticate] attribute at the Delete() method level, I works, I cannot call the DeleteExercice request if i’m not authentified

I use Servicestack 5.9.2 in a NetCore 3.1 application

I send my requests via the Gateway.Send() method inside a ServiceStackController.

public class ExerciceController : ServiceStackController
    public IActionResult DeleteExercice(int id)
        Gateway.Send(new DeleteExercice
            Id = id

        return NoContent();

What do I do wrong ?
Thank you

Internal Service Gateway requests do not execute the Global Request Filters for external HTTP requests, they do Execute Gateway Request/Response filters as well as Validation + Action filters so you will also be able to use the Declarative Validation Authorization Attributes on Request DTOs.