Skip to main content
Function calling lets a model request a named application operation with structured arguments. Your code—not the model—decides whether to execute the function and returns the result for a final response.

Define and request a tool

The following request gives the model one read-only weather function. It intentionally stops after the model’s tool request so you can inspect and validate the arguments.

Complete the tool loop

1

Inspect the assistant message

If finish_reason is tool_calls, read every item in message.tool_calls. A model can request more than one call.
2

Validate arguments

Parse function.arguments as JSON and validate it against your own schema, permissions, value ranges, and business rules. Treat it as untrusted input.
3

Execute with safeguards

Map the exact allowlisted function name to application code. Apply authentication, authorization, deadlines, idempotency, and rate limits.
4

Return tool results

Append the assistant tool-call message and one role: tool message per call, matching tool_call_id. Then request the final assistant response.

Security rules

  • Never use eval, reflection, or arbitrary shell execution on a generated function name.
  • Require user confirmation for purchases, messages, deletion, permission changes, or other consequential actions.
  • Bind tools to the authenticated user and re-check authorization at execution time.
  • Limit argument length and recursive JSON depth.
  • Remove secrets and unnecessary internal details from tool results.
  • Cap loop iterations and detect repeated identical calls.
  • Record an audit event for state-changing tools.
A JSON schema improves argument shape; it does not make the requested action safe or correct. Application-side validation and authorization remain mandatory.
Last modified on July 13, 2026