In order for instances to verify each other's identity, a weak authentication mechanism is used, based on a simple DNS dialback negotiation. The process goes roughly like this:

1. Server A wants to prove its identity to Server B
2. Server A tells Server B its dialback endpoint, via Server B's auth endpoint listed in its instance metadata
3. Server B independently connects to the given endpoint and sends a secret token
4. Server A, having received the secret, sends it back to Server B's auth endpoint
5. Server B responds with an auth token, which Server A can use in subsequent requests to prove who it is