ConceptsUpdated 2026-06-21 · Version 1.0

What is Tool Use (Function Calling)?

Tool use, also called function calling, lets a language model invoke external functions, APIs or code to fetch information or take actions in the real world. The model decides which tool to call and with what arguments; the application runs the tool and returns the result, which the model uses to continue. Tool use is the bridge that turns a text generator into an agent that can actually do things.

Machine-readable: JSON

Definition

Tool use (function calling) is the capability that lets a language model call predefined external functions or APIs, with arguments it generates, and incorporate the results into its response or next step.

Key takeaways

  • Tool use connects a model to live data and real actions.
  • The model picks the tool and arguments; the app executes it.
  • Clear, well-described tools dramatically improve reliability.
  • It is the core mechanism behind agents and MCP.
  • Tool access expands capability and the security surface alike.

Context

On its own a model only produces text. Tool use breaks that boundary: given a set of declared tools, the model can choose to call one — for example a search, a database query or a payment API — and then reason over the result.

How tools are described matters as much as the model. Tools written for a model to use — clear names, precise parameters, helpful descriptions and error messages — are a central concern of harness engineering.

Architecture

The loop: the application declares tools (name, description, parameter schema); the model emits a structured tool call; the application validates and executes it; the result returns to the model as an observation; the model continues or answers.

MCP standardizes how tools are exposed and discovered across applications, so a tool written once can be reused by any compliant client. Guardrails and permissions wrap execution to keep it safe.

Components

Tool declaration (schema)Tool selection (model)Argument generationExecution layerResult / observationGuardrails & permissions

Benefits

  • Grounds answers in live, real data.
  • Lets models take real actions, not just describe them.
  • Extends a model without retraining.
  • Composes into full agentic workflows.

Risks

  • Prompt injection can trigger unintended tool calls.
  • Wrong arguments or tool misuse cause real-world errors.
  • Over-broad tool access widens the attack surface.
  • Latency and cost grow with each tool round-trip.

Tools & technologies

Function calling APIsModel Context Protocol (MCP)LangGraph / Agents SDKsSchema validation (e.g. JSON Schema, Zod)

Examples

  • A model calling a weather API to answer a forecast question.
  • An agent querying a database to look up an order before acting.
  • A coding agent invoking a test runner and reading the results.

FAQs

Is tool use the same as MCP?
No. Tool use is the model capability to call functions. MCP is a standard for how those tools and data are exposed and discovered across applications.
How do you make tool use reliable?
Write tools for the model: clear names, precise parameter schemas, useful descriptions and informative errors. Validate arguments and constrain permissions.
What are the security risks?
Tools are real access. Prompt injection can attempt to trigger harmful calls, so apply least-privilege permissions, validate inputs, and treat tool outputs as untrusted.
Does tool use make a model an agent?
It is the key enabler. An agent combines tool use with a control loop, memory and a goal so it can act over multiple steps.

References