Agent tool use is the mechanism that turns a language model from a text generator into a system that acts. The application gives the model a typed catalog of functions it may call; on each turn the model either replies with text or emits a function call with arguments; the runtime executes the function and returns the result to the model as the next message.
Anatomy of a tool call.
- Tool schema. The provider receives a JSON Schema for each tool: name, description, parameters, return shape. This schema is what the model uses to decide when to call and how to construct arguments.
- Call message. When the model decides to use a tool, it returns a structured tool-call message instead of free text. The application validates the arguments against the schema and executes.
- Result message. The application returns the function's output as a tool-result message. The model reads it and continues the conversation, either with more tool calls or with a final text answer.
Where the rails go.
The model is not the authorization decision. Every tool that touches a customer's data or modifies external state passes through the application's real auth, validation, and rate- limit layers. The tool schema describes what the model can request; the application decides what it is allowed to do.
Designing the tool catalog.
Fewer, sharper tools beat more, fuzzy tools. A catalog with five well-named tools that each do one thing well outperforms a catalog of twenty overlapping tools. Model choice quality correlates inversely with catalog size; aim for the smallest catalog that covers the workflow.
Frequently asked.
- What is tool use in language models?
- Tool use is the pattern where a model is given a typed set of functions it can call (search, database queries, API calls, code execution) and the runtime executes the calls and returns results. The model becomes an actor in real systems, not just a text generator. The major model providers (Anthropic, OpenAI, Google) all support this natively.
- Is tool use the same as function calling?
- They're the same mechanism with slightly different vendor names. OpenAI calls it 'function calling'; Anthropic calls it 'tool use'. Both refer to the model emitting a structured function-call message that the runtime executes and feeds back. The Model Context Protocol generalises this so the same model can use tools from any compliant server.
- How many tools should I expose to a single agent?
- As few as the workflow allows. Five sharply-defined tools usually outperform twenty fuzzy ones. As the catalog grows the model gets worse at picking the right tool and at constructing arguments. If you need more capabilities, split the workflow across multiple specialist agents, each with its own catalog.
- Who authorizes a tool call — the model or the application?
- Always the application. The model decides which tool it wants to use; the application's auth and validation layers decide whether the call is allowed. Trusting the model for authorization decisions is the canonical way to ship a security incident. The tool schema describes capability; the application enforces policy.