And Tor even provides rudimentary ACL built into .onion address itself with somewhat obscure options of HiddenServiceAuthorizeClient, and HidServAuth. This basically lets you create a circle of Hidden Services you can only access if you have a matching key.