I am a big fan of mutual TLS ("mTLS" if you prefer the shorter spelling, "client certificates" if you are describing the half a user actually touches). Strangely, I rarely see it used in the wild. That probably says something worrying about how I choose to spend free time, but they are a neat fit for small private infrastructure. Most people reach for HTTP Basic, an API token, or a VPN, and call it a day. A private pkg repository is one of those quiet little places where mutual TLS fits perfectly: a well established mechanisms, no humans typing passwords, and a server that should only answer questions from boxes I actually have access to.