Client authentication don't appear.
Authorization header or things like this.
ES256 JWT tokens generated by client with a shared rotating key and integrating path in signature can be a good starting point?
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information