By default, the REPL socket is bound to a loopback, so it will only accept connections made from this machine. This is probably the safest method. Then you can use any auth methods that you would like to get on this machine. SSH or my personal favorite mosh are good options.
It is plausible that you could create some kind of authentication system by providing your own REPL function and allowing only authenticated connections from everyone who wants it, but I think this can be extremely unreasonable and unsafe.