Onion services are very clunky for direct use, acting more like IP addresses than human-readable domains. Using them directly is appropriate for servers that desire anonymity, but for most Mastodon instances their main purpose is to allow Tor clients to connect without using an exit node.

Ideally, a user would be able to use the clearnet domain of a Mastodon instance over Tor and seamlessly connect through a single onion service. That may sound impossible without sacrificing security, but it is actually trivially easy thanks to a somewhat obscure feature of HTTP: alternative services.

Alternative services allow a connection to an origin to go through a different machine, while still using the TLS certificate of the origin. They work completely transparently, such that the the user (and almost every layer of software) generally has no idea anything is different.

They are particularly useful for Tor: by specifying an onion address as an alternative serivce, you can make HTTPS connections that are authoritative for the clearnet address. Cloudflare calls this Opportunistic Onions, and everything they host uses it by default. In fact, if you go to Mastodon's website in Tor Browser and examine the traffic, you'll find that you're actually connecting through an onion service!

This approach is considerably improved by HTTPS records, once that standard is finalized. All major browsers have an implementation that works with the draft specification, and Safari even enables it by default: they have a number of advantages, one of which is allowing the onion service to be used from the moment a user tries to connect.