There's a handshake before you accept a connection to anyone. Each peer generates a keypair and sends the public key to our servers (which they're authed with). On connection, peers receive the public key from the Squawk servers, and perform a handshake to verify their identity. This all happens p2p.

What happens on failure?

A failure would indicate some sort of malicious actor, so the connection is logged and rejected.