Glossary
What is Tool calling?
Last updated: 2026-05-26
Definition
Tool calling (also "function calling") is the LLM capability that lets a model emit a structured request to execute an external function, receive the result, and incorporate it into the next response. It is the technical primitive that turns a passive chatbot into an active agent — without tool calling, an LLM can only talk; with it, it can act.
Why Tool calling matters
Every meaningful agent depends on tool calling. The quality of an agent's tools, the precision of their schemas, and the controls around their execution determine 80% of agent reliability and security. Tool calling is also the surface where prompt-injection attacks pay off — narrow tool scopes are the most effective injection defence.
How Tool calling works
- 1The developer declares each tool as a JSON Schema: name, description, parameter types, required fields.
- 2When the user sends a message, the LLM decides whether a tool call is needed; if so it emits a structured request with parameter values it inferred from context.
- 3The runtime validates the request, executes the tool (HTTP call, DB query, code execution), and returns the result to the LLM as a new message.
- 4The LLM uses the tool result to either call another tool, ask the user a follow-up, or produce a final answer.
- 5Modern providers (OpenAI, Anthropic, Google) all support parallel tool calls, where the LLM emits multiple tool requests in one turn for the runtime to fan-out.
Examples
- A sales agent calls `crunchbase_lookup(company="Acme")` to fetch funding data, then `linkedin_employees(company="Acme")` to size the org, before drafting the outreach.
- A finance agent calls `currency_convert(from="USD", to="EUR", amount=1500)` to get a current rate before quoting in a sales reply.
- A code-review agent calls `repo_diff(pr_url)` and `test_runner(branch)` in parallel before commenting on the PR.
References
Related concepts
AI agent
An AI agent is a software program that uses a large language model (LLM) to autonomously plan and complete a task, combining reasoning, tool use, and memory. Unlike a one-shot prompt, an agent can break a goal into steps, call external tools or APIs, and decide what to do next based on intermediate results.
Model Context Protocol (MCP)
Model Context Protocol (MCP) is an open standard introduced by Anthropic in 2024 that defines how AI agents connect to external data sources and tools. MCP servers expose data and capabilities; MCP clients (LLMs and agent platforms) discover and call them through a uniform interface — eliminating per-tool custom integration code.
Prompt injection
Prompt injection is an attack where untrusted text fed to an LLM overrides the developer's instructions, causing the model to leak data, call unauthorised tools, or follow attacker goals. It is the LLM equivalent of SQL injection and ranks #1 on the OWASP Top 10 for LLM applications because there is no model-level fix — defence requires layered controls outside the model.
Multi-agent orchestration
Multi-agent orchestration is the practice of chaining multiple specialized AI agents into a single workflow, where each agent has a defined role (researcher, writer, reviewer, publisher) and outputs flow from one agent to the next. The orchestrator decides the order, handles retries, and enforces guardrails between steps.
FAQ
Tool calling — common questions
- Is "tool calling" the same as MCP?
- No. Tool calling is the LLM-side capability — the model emits a request to execute a function. MCP (Model Context Protocol) is a standardised wire format for SERVING tools to any LLM client. You can do tool calling without MCP (raw HTTP, vendor SDKs) but MCP makes tool sets portable across clients and platforms.
- How many tools can one agent have?
- Technically the limit is the context window — every tool schema is in the prompt. Practically, 20-30 well-scoped tools per agent is the sweet spot; beyond ~50 the model starts mis-routing. Multi-agent orchestration is the answer when a single workflow needs more tools than that.
- What is the security model for tool calling?
- The model decides WHICH tool to call but the runtime decides WHETHER to allow it. Production agents must scope tool credentials per agent (not per user), validate every tool argument, and gate destructive actions behind human approval. Treat every tool call as untrusted input.