I would not recommend using shouldValidate directly. That’s an internal implementation detail, so there’s no guarantee it won’t change.
The authorization APIs become null operations when in an administrator context (as opposed to an authenticated user session). So one approach is to use something like a non-existent role. Take a look at this post for more: Sync Gateway check if admin call(superuser)