Where to put Request and Response DTO's?

I’ve thoroughly read the documentation, including:

and

And looked at a lot of the examples. But one thing still confuses me:

Some examples show Request / Response DTO’s inline above the Service definition (in the *.ServiceInterface project). Some have them in the *.ServiceModel project (RedisStackOverflow/Questions.cs at master · NetCoreApps/RedisStackOverflow · GitHub)

But when you define everything (Request & Response DTO’s in the ServiceModel project), you can’t put any security related restrictions (RequirePermission, RequireRole, etc…).

If I put everything (Request DTOS / Response DTO’s) in my ServiceInterface project, no clients will be able to access it for strongly typed calls. Maybe I’ve been staring at this too long?

Require/Role/Permission/etc filter attributes contain server implementations, they belong on Service class or method implementations not DTOs.

This goes for any Filter Attributes which contain implementations, they should be annotated on Service implementations not DTOs.

Ahhhh that’s where my confusion is happening. DTOs, stored in the servicemodel project, define contracts with routes (Route attribute). Services define security constraints.

I thought I remember reading request DTOs handle that as well, but I must have gotten it confused.

Is the only reason I see examples with everything (Request DTOs, response DTOs, db POCOs) all inlined in the ServieInterface is for simplicities sake?

Request DTOs do support filter attributes for additional flexibility, but it’s not recommended because of the server coupling.

Right, to show the complete example in a single page.