Don’t know what [AllowAnonymous] you’re referring to is, it’s not a ServiceStack feature.
ServiceStack’s Authentication is designed so that it creates an Authenticated session so it can be used on subsequent requests without re-authenticating. A User is authenticated if they have a valid session.
If you don’t the session retained after each request you could delete the session after each request in a Response Filter, e.g:
GlobalResponseFilters.Add((req, res, dto) => {
req.RemoveSession();
});
Also you can disable Session Cookies being added to Responses with:
SetConfig(new HostConfig {
AllowSessionCookies = false
});
This way the Session Cookies are not returned so they can’t use them on subsequent requests, though not sure if this affects the Auto0 JWT provider you’re using at all.
Otherwise If this isn’t suitable then the alternative is to not to use ServiceStack Authentication, just validate the Request each time using a Request Filter.