should be add [authenticate] attribute on DTO, service or both?
What is best practice?
Best would be to add it to DTO because then it’s checking this before validation is running
The [Authenticate] attribute should only be on the Service implementation since it has a dependency on ServiceStack.dll however the recommendation is to instead use the Declarative Validation Attributes like [ValidateIsAuthenticated] on the Request DTO so this information is also available in client DTOs and Client UIs.