Define and request a tool
The following request gives the model one read-only weather function. It intentionally stops after the model’s tool request so you can inspect and validate the arguments.Complete the tool loop
1
Inspect the assistant message
If
finish_reason is tool_calls, read every item in message.tool_calls. A model can request more than one call.2
Validate arguments
Parse
function.arguments as JSON and validate it against your own schema, permissions, value ranges, and business rules. Treat it as untrusted input.3
Execute with safeguards
Map the exact allowlisted function name to application code. Apply authentication, authorization, deadlines, idempotency, and rate limits.
4
Return tool results
Append the assistant tool-call message and one
role: tool message per call, matching tool_call_id. Then request the final assistant response.Security rules
- Never use
eval, reflection, or arbitrary shell execution on a generated function name. - Require user confirmation for purchases, messages, deletion, permission changes, or other consequential actions.
- Bind tools to the authenticated user and re-check authorization at execution time.
- Limit argument length and recursive JSON depth.
- Remove secrets and unnecessary internal details from tool results.
- Cap loop iterations and detect repeated identical calls.
- Record an audit event for state-changing tools.