Go back

How Function Calling Works

How Function Calling Works

I built a support bot for customer service and users kept asking “what’s my account balance?” The AI couldn’t answer because it had no way to access our database. I tried putting sample account data in the prompt, but that obviously didn’t work for real users with real accounts.

Then I discovered function calling, which some providers also call tool use. Now when users ask about their balance, the AI calls a function that queries our actual database, gets their real account number, and responds with accurate information.

Same AI model. Completely different capabilities. The only change is that it can now execute code.

Table of contents

Open Table of contents

What Is Function Calling?

Function calling allows the AI model to request execution of external functions that you define during the conversation.

Without function calling: User asks “What’s 847 × 923?” and the AI guesses “Approximately 781,681” which is completely wrong.

With function calling: User asks “What’s 847 × 923?” and the AI calls your calculate(847, 923) function, your code executes the actual calculation and returns 781,781, then the AI responds with confidence “847 × 923 = 781,781.”

The model recognizes when it needs external help, requests a function call with specific arguments, your code executes that function and returns the result, and the model incorporates that result into its response.

How It Works

The function calling workflow follows a clear six-step process:

  1. Define available functions by telling the model what functions it can call and what arguments each one accepts
  2. User asks a question that requires external data or computation beyond the model’s knowledge
  3. Model decides to call a function and returns structured JSON containing the function name and arguments
  4. Your code executes that function using the provided arguments to get real data or perform calculations
  5. Send the result back to the model along with the original conversation context
  6. Model responds with a natural language answer that incorporates the function result

Critically, the model never directly accesses your database or systems. It only requests function calls, your code executes them with proper security checks, and you explicitly send the results back.

When You Need It

Access real-time data that changes constantly: Current weather forecasts and live stock prices can’t come from the model’s training data, which is always months old at best.

Perform precise calculations: Large language models are notoriously bad at math and arithmetic. Use a function call to get precise, reliable calculations every single time.

Query your database for user-specific information: When a user asks “Show me my last 5 orders,” the AI calls your get_user_orders function and you run the actual SQL query against your database.

Call external APIs to take real-world actions: When someone says “Book a flight to NYC this Friday,” the model parses their intent, calls your search_flights function, and your code hits the airline API with those parameters.

Modify data in your systems: When a user says “Cancel my subscription,” the AI calls your cancel_subscription function. This is incredibly powerful but also dangerous, which is why you absolutely need proper authentication and authorization checks.

When You Don’t Need It

Answers already in the conversation context: Document summarization doesn’t need function calling because you already gave the AI the entire document to work with.

Pure text generation tasks: Writing product descriptions doesn’t require external data, so function calling would just slow things down unnecessarily.

Static knowledge the model already has: Questions like “What’s the capital of France?” don’t need function calls because the model already knows that Paris is the answer.

Analysis of data you already provided: Sales trend analysis doesn’t need functions when you’ve already included the sales data directly in your prompt.

Multi-Step Calling

Modern AI models can orchestrate complex multi-step workflows automatically. When a user says “Book the cheapest flight to NYC next Friday and add it to my calendar,” here’s what happens:

The model first calls search_flights with the date and destination, your code returns available flight options, the model analyzes them and calls book_flight with the cheapest option, your code confirms the booking, the model then calls add_to_calendar with the flight details, and the entire workflow completes successfully. The model orchestrates all of these function calls sequentially without you having to manually manage the flow.

Common Mistakes

Not validating function inputs properly: The model might hallucinate arguments or pass malformed data, so you absolutely must validate every argument before executing the function.

Exposing dangerous functions without authentication: Always check user permissions before executing destructive operations like delete_user, modify_billing, or cancel_account.

Providing too many function options: Giving the model 50 different functions to choose from confuses it and degrades performance. Keep it to 5-10 functions for a general support bot, or just 2-3 for a specialized tool.

Not handling errors gracefully: When your database is down or an external API times out, you need to handle these failures gracefully and send clear error messages back to the model.

Using function calling for everything: If the answer is already in your prompt context, don’t waste time calling a function. It’s slower and wastes unnecessary API calls.

Parallel Calling

Many modern AI models support parallel function calling for better performance. When a user asks “What’s the weather in SF and NYC?” the model can call both get_weather(“SF”) and get_weather(“NYC”) simultaneously rather than sequentially, which is dramatically faster than waiting for the first call to complete before starting the second.

Security

Function calling allows an AI to execute code directly in your system, which introduces serious security risks. You’re vulnerable to SQL injection attacks, unauthorized actions on user accounts, data leaks to unauthorized users, and code execution vulnerabilities.

Treat every function like you would treat a public API endpoint: rigorously validate all inputs, check authentication and authorization before executing anything, sanitize data before using it in queries, and log all actions for audit trails.

The AI model is not a trusted actor in your system. Your code is solely responsible for all security checks and enforcement.

Bottom Line

Function calling fundamentally transforms AI from being just a text generator into being an agent that can take real actions in your systems. It can query databases for user data, call external APIs to book flights, perform precise calculations, and modify data in your application.

Use function calling when you genuinely need external data or computation that the model can’t provide on its own. Don’t use it when simple prompting with context already gives you the answer, because you’re just adding unnecessary complexity and latency.

Always rigorously validate and secure every function you expose to the model. The AI makes the request, but your code is ultimately responsible for deciding whether to execute it safely.

Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
Do LLMs Truly Reason?
Next Post
Most AI Products Are Just API Wrappers. That's Fine.