Watch the tool-calling loop one step at a time: the model decides to call a function, your code runs it, the result returns, and the model answers, with the exact payload at every stage.
A model can only produce text, so tool calling is how it reaches the real world. It never runs anything itself: it emits a structured request naming a function and its arguments, your code runs the real function, and you hand the result back for the model to use. Repeat that, call a tool, read the result, decide what’s next, and you have an agent. This walks through one full turn so the hand-off is concrete.
The model proposes; your code disposes. Treat tool arguments as untrusted input, validate them against your schema before acting. Everything here is a static illustration running in your browser.
No. It only emits the name and arguments. Your application runs it, which is exactly why you stay in control of what’s allowed.
Tool calling is the model deciding to invoke a tool; MCP is the standard for describing and connecting those tools so they’re reusable across apps.
Read what tool calling is, build a schema with the Structured Output Builder, or design a flow in the Pattern Builder.