16. Tool Calling and Function Calling (Where Apps Become Real)

On this page

What this section is for

Tool calling is where LLM apps move from “generate text” to “do work.” A tool is a function/API your app exposes that the model can call to:

This section teaches you how to design tool calling so it is:

The big idea

Tools separate “thinking” from “doing.” The model proposes actions; your system performs controlled actions and returns results.

A tool is not “a helper.” It is a capability you grant to the model. That means:

Once you treat tools as capabilities, “least privilege” becomes the default posture.

Tool calling is how you build features that aren’t just text:

But you only get these benefits if you design tools cleanly and handle failure modes explicitly.

Tool calling introduces predictable risks:

tool misuse: the model calls a tool with bad parameters
side effects: accidental writes, duplicate actions, unintended changes
runaway loops: repeated calls, retry storms, infinite plans
prompt injection via data: untrusted documents instruct the model to call tools
data leakage: tools return sensitive data which is then echoed

Section 16.5 is dedicated to preventing these failures.

Never let tools be “whatever the model wants”

Tools should be narrow, validated, logged, and budgeted. Otherwise you’re building an unsafe agent, not a product feature.