add basic authorization, and give clients links with registered login and password like http://user:[email protected]/

Why don't you restrict access to the site via htaccess to specific IPs only.

Order deny,allow
deny from all
# Список IP через пробел, с которых доступ разрешен
Allow from 194.111.70.48 194.78.47.128

Local HTML page with one button: "Login".
The form sends a POST request with one dynamic field (token) based on the public key previously received from the server (hardcoded).

You just need to attach a secret name to the address for knowledgeable clients in hosts. Incoming IP clients without the correct host name will be taken to the "it works" page, according to the standard Apache setting. And registering a domain name is optional in this case.
In any case, such "stealth" will require some kind of identification from clients: host name (my example), password, encryption key.
There is also a similar option when knowledgeable clients have a self-signed certificate in trusted ones.

hang ftp authorization

change of ports + Authorization by client TLS/SSL certificates

Authorization (internal or via htaccess) or ip restriction, in any other case, google bot will sooner or later find out and crawl the site despite robots.txt (robots.txt carries purely advisory parameters that search engine bots do not always fulfill)