This can be done with nip42 auth to a paid relay (or relay with ACL). Client can auth with a known key, and post with a throwaway key.