Authenticate DDP client with Pubkey or something else

Hi there

i am planning an application with multiple meteor instances for different jobs.
The defined methods shall not be public accessible via DDP, only for known servers.
Because there are use cases that require customer controlled installations of meteor servers, I cant just use firewall settings to limit the access to my server instances. I need a form of authentication to ensure that only known and registered meteor instances talk to the DDP methods.

One possibility I can imagine is using a private key on the server, that does the DDP.connect and store the public key in MongoDB of the server, that shall be connected.
Has anyone ever tried to establish a authenticated and encrypted DDP connection with a client side private key like that?

Or has anyone another idea how to ensure that only authenticated servers (with possible dynamic IPs) use restricted methods offered by a meteor server?