Applications using ToolTalk do not communicate with each other directly. Instead, communications are handled by two kinds of ToolTalk servers. A session server, called ttsession, handles messages that concern processes, while an object server, called rpc.ttdbserverd, handles messages that concern objects. Applications register with the appropriate ToolTalk servers to tell them what kinds of messages they are interested in. When an application has a message to send, it sends the message to the appropriate ToolTalk server, which redistributes it to any interested applications and returns any replies to the sending application. Session servers group together related processes (for instance, all the programs started by a given user will normally be part of one session), and multiple session servers may run on the same machine.

rpc.ttdbserverd is started from inetd and runs as root, while ttsession is started up as needed and runs as the user that started it. Often, ttsession will be started when a user logs in, but that's not required; if an application wants to use ToolTalk but no ttsession is available, one will be started up.

ToolTalk is based on Sun RPC. Although ToolTalk provides a range of authentication mechanisms, most ToolTalk implementations use the simplest one, which authorizes requests based on the unauthenticated Unix user information embedded in the request. This is completely forgeable. In addition, there have been a variety of security problems with the ToolTalk implementation, including buffer overflow problems in rpc.ttdbserverd and in the ToolTalk client libraries. Several of these problems have allowed remote attackers to run arbitrary programs as root.