One way to do authorization is to sign each operation/message and then verify the signature to match a public key in an access control list. This also enables CRDTs to work in a peer to peer context.

But as aboodman says in a sibling comment, if there’s a server as an authority, it can simply reject messages from unauthorized clients.