L1
Β·
Quiz
Β·
Lab
L2
Β·
Quiz
Β·
Lab
L3
Β·
Quiz
Β·
Lab
L4
Β·
Quiz
Β·
Lab
Module Test
Module 3 Β· Lesson 1

What Is Tool Use?

How Claude bridges language understanding and real-world action
Why can't Claude just answer everything from its training β€” and what changes when you give it tools?

When Anthropic publicly released tool use for Claude in the spring of 2024, the documentation described it as giving the model "the ability to interact with external services and systems." What changed wasn't Claude's knowledge β€” it was Claude's reach. A language model that previously could only reason about the world could now query a live database, run a calculation, or send an HTTP request.

The pattern had precedent: OpenAI had shipped function calling for GPT-4 in June 2023. But Anthropic's implementation, released as the tools parameter in the Messages API, offered a structured JSON schema approach that developers quickly adopted for complex multi-step agent workflows.

The Core Problem Tool Use Solves

Claude's training gives it a static snapshot of knowledge up to a cutoff date. It cannot browse the web, check the current time, query your database, or execute code in a sandboxed environment β€” unless you explicitly provide those capabilities as tools.

Tool use is the mechanism by which you extend Claude's effective capabilities beyond inference. Instead of answering "what is the current stock price of NVDA?" from memory (which would be wrong), Claude can call a get_stock_price function you define, receive the real-time result, and incorporate it into a coherent response.

Key Distinction

Claude does not execute your tools. It requests that a tool be called by outputting a structured tool_use content block. Your code receives that request, runs the actual function, and sends the result back. Claude is the planner; your application is the executor.

The Request–Response Loop

Tool use is not a single API call β€” it is a dialogue. Understanding the turn structure is essential before writing a single line of code.

1
You send: messages + tools definition
Your API request includes a tools array describing available functions and a messages array with the user's request.
2
Claude responds: stop_reason = "tool_use"
Instead of a final answer, Claude returns a tool_use content block containing the tool name and a JSON input object.
3
Your code: execute the function
You read the tool name and input, run your actual function (database query, API call, calculation), and capture the result.
4
You send: tool_result back to Claude
You append the assistant's tool_use message and a new user message containing a tool_result content block with the function output.
5
Claude responds: final answer
Claude synthesizes the tool result with the original question and produces a natural-language response. stop_reason is now "end_turn".
A Minimal Tool Definition

Every tool is described using a JSON Schema subset. The three required fields are name, description, and input_schema. Claude reads the description to decide when to call the tool and reads the schema to know what parameters to provide.

# Minimal tool definition tools = [ { "name": "get_weather", "description": "Returns current weather for a city. Call this whenever the user asks about weather or temperature.", "input_schema": { "type": "object", "properties": { "city": { "type": "string", "description": "City name, e.g. 'San Francisco'" }, "unit": { "type": "string", "enum": ["celsius", "fahrenheit"] } }, "required": ["city"] } } ]
Writing Good Descriptions

The description field is the most important part of a tool definition. Claude uses it to decide whether to call the tool at all. Be specific about when the tool should and should not be used. Anthropic's own documentation notes: "Claude will use descriptions to determine when and how to use tools, so good descriptions can significantly improve tool use performance."

Why This Architecture Matters

The two-turn pattern (Claude requests β†’ you execute β†’ Claude finalises) is not an implementation detail to work around. It is a deliberate safety boundary. Claude cannot directly execute code or call APIs β€” it can only request that your application do so. This means you retain full control over what actually runs. You can validate inputs, rate-limit calls, and log every tool invocation before it happens.

This separation becomes especially important when building autonomous agents. Claude might chain multiple tool calls across many turns, but at every step, your orchestration layer is the gatekeeper. Anthropic explicitly designed it this way to maintain human oversight in agentic workflows.

tool_useA content block type returned by Claude when it wants to invoke a tool. Contains id, name, and input fields.
tool_resultA content block type you send back in the next user message. Contains the tool_use_id (matching the request) and the content (the function output).
input_schemaA JSON Schema object describing the parameters Claude should pass when calling the tool.
stop_reasonEither "tool_use" (Claude wants to call a tool) or "end_turn" (Claude has produced a final answer).

Lesson 1 Quiz

What Is Tool Use? β€” 4 questions
What does Claude actually do when it "uses a tool"?
Correct. Claude produces a tool_use block as output. Your application code reads it, runs the actual function, and sends the result back. Claude never directly executes anything.
Not quite. Claude cannot directly execute functions or call APIs. It outputs a structured request; execution is always handled by your code.
Which field in a tool definition does Claude primarily use to decide when to call the tool?
Correct. The description is what Claude reads to understand when the tool is appropriate. Anthropic notes that good descriptions "significantly improve tool use performance."
The description field is the key signal. Claude reads it to decide whether the current user request warrants calling the tool at all.
After Claude returns a stop_reason of "tool_use", what must you include in your next API request?
Correct. You must maintain the full conversation history, appending the assistant's tool_use turn and a new user turn with the tool_result block containing the function output.
The tool result must be sent back as a properly structured user message. Claude has no way to receive results unless your code sends them in the next request.
Why does Anthropic's tool use architecture require your code to execute functions rather than letting Claude execute them directly?
Correct. The separation is a deliberate safety boundary. Your orchestration layer remains the gatekeeper at every tool invocation, which is especially important in autonomous agent workflows.
The design is intentional for safety and oversight. Anthropic explicitly separated planning (Claude) from execution (your code) so developers retain control over what actually runs.

Lab 1: Tool Definition Workshop

Practice designing clear, effective tool definitions

Your Task

In this lab you'll work with an AI coach to practice writing and critiquing tool definitions. Describe tools you want to build, discuss schema design decisions, and get feedback on your descriptions.

Have at least 3 exchanges to complete this lab.

Try: "I want to build a tool that looks up a customer's order history. Help me write a good tool definition for it." β€” or ask about best practices for tool descriptions.
Tool Design Coach
Lesson 1 Lab
Welcome to the tool definition workshop. I'm here to help you design clear, effective tool definitions for the Anthropic API. Tell me about a tool you want to build β€” what should it do? β€” and we'll craft a solid name, description, and input_schema together.
Module 3 Β· Lesson 2

Building Your First Tool Call

Complete code walkthrough: from API request to executed function and back
How do you wire together a tool definition, an API call, and a result-handling loop in real Python code?

When Anthropic released the claude-3-opus-20240229 model in March 2024, it arrived with tool use baked in. Early adopters on the Anthropic Discord documented patterns for the multi-turn loop almost immediately. The core challenge wasn't the API itself β€” the structure is clean β€” but grasping why you need to append both the assistant's tool_use turn and your tool_result turn before the final call. Skip either and Claude lacks the context to synthesise a coherent answer.

Step 1 β€” Install and Import

The official Python SDK handles authentication, retry logic, and response parsing. Install it once and import the client.

# pip install anthropic import anthropic import json client = anthropic.Anthropic() # reads ANTHROPIC_API_KEY from env
Step 2 β€” Define Tools and Send the First Request
tools = [ { "name": "get_stock_price", "description": ( "Returns the current stock price for a given ticker symbol. " "Call this whenever the user asks about stock prices or market data." ), "input_schema": { "type": "object", "properties": { "ticker": { "type": "string", "description": "Stock ticker symbol, e.g. NVDA, AAPL, MSFT" } }, "required": ["ticker"] } } ] messages = [{"role": "user", "content": "What is Nvidia's stock price right now?"}] response = client.messages.create( model="claude-opus-4-5", max_tokens=1024, tools=tools, messages=messages )
Step 3 β€” Check the Response and Execute the Tool
if response.stop_reason == "tool_use": # Find the tool_use block tool_use_block = next( b for b in response.content if b.type == "tool_use" ) tool_name = tool_use_block.name tool_input = tool_use_block.input tool_id = tool_use_block.id # YOUR function executes here β€” Claude does NOT do this def get_stock_price(ticker): # In real code: call a market data API return {"ticker": ticker, "price": "875.40", "currency": "USD"} result = get_stock_price(**tool_input)
Step 4 β€” Send the Result Back

This is the step most developers get wrong on first attempt. You must append both the assistant's response (containing the tool_use block) and a new user message with the tool_result. Both are required for the conversation to make sense to Claude.

# Append assistant's tool_use turn to history messages.append({ "role": "assistant", "content": response.content # the full content list }) # Append the tool result as a user message messages.append({ "role": "user", "content": [ { "type": "tool_result", "tool_use_id": tool_id, "content": json.dumps(result) } ] }) # Final call β€” Claude synthesises the answer final_response = client.messages.create( model="claude-opus-4-5", max_tokens=1024, tools=tools, messages=messages ) print(final_response.content[0].text) # β†’ "Nvidia (NVDA) is currently trading at $875.40 USD."
Common Mistake

Sending only the tool_result user message without first appending the assistant's tool_use turn causes an API error: "messages: roles must alternate between 'user' and 'assistant'." Both turns are mandatory.

The tool_use_id Is the Link

Every tool_use block has a unique id like toolu_01XxyZ…. Your tool_result must reference the exact same ID in its tool_use_id field. If Claude requested multiple tools in a single response, you must return a separate tool_result block for each, all within the same user message.

Parallel Tool Calls

Claude can request multiple tools in a single response (e.g., looking up weather for three cities simultaneously). In this case, response.content will contain multiple tool_use blocks. You execute all of them and return all results in one user message with multiple tool_result content blocks β€” one per tool_use_id.

Error Handling in Tool Results

If your function fails, you should still return a tool_result β€” but with "is_error": true and a descriptive error message as content. This tells Claude the tool call failed and lets it decide whether to retry, use a different approach, or inform the user gracefully. Silently omitting a tool result breaks the conversation.

{ "type": "tool_result", "tool_use_id": "toolu_01XxyZ", "is_error": true, "content": "Ticker not found: FAKECO. Market data API returned 404." }

Lesson 2 Quiz

Building Your First Tool Call β€” 4 questions
When appending history after a tool_use response, what must you include in the messages array before your next API call?
Correct. Both turns are required. The API enforces strict role alternation β€” omitting either causes an error.
Both the assistant's tool_use turn and the user's tool_result message are required. Omitting either breaks the alternating roles requirement.
What is the purpose of the tool_use_id in a tool_result block?
Correct. The ID is the linkage mechanism. Since Claude can request multiple tools simultaneously, each result must reference its specific request ID.
The tool_use_id links the result to the specific tool invocation request. Claude uses it to correlate what was requested with what was returned.
Claude requests three tools in a single response. How should you return the results?
Correct. All results go in a single user message as separate tool_result blocks, each referencing its own tool_use_id.
All results must be returned together in one user message with separate tool_result blocks. Splitting them into multiple messages breaks the conversation structure.
Your function call fails with an exception. What is the correct approach?
Correct. Always return a tool_result even on failure. The is_error: true flag tells Claude the call failed and lets it decide how to respond.
You must always return a tool_result. Use is_error: true with a clear error message so Claude can handle the failure intelligently rather than being left without context.

Lab 2: Tool Call Debugging

Trace through multi-turn tool call flows and fix common mistakes

Your Task

Practice diagnosing and fixing tool call issues. Describe a broken implementation, trace through what went wrong, or ask the coach to walk you through building a complete tool call loop from scratch.

Complete at least 3 exchanges to finish this lab.

Try: "Here's my code β€” I'm getting a 'roles must alternate' error when I try to send back the tool result. What am I doing wrong?" β€” or paste a simplified version of code you're confused about.
Tool Call Debugger
Lesson 2 Lab
Hello! I'm your tool call debugging coach. Describe an issue you're facing β€” or ask me to walk through a complete tool call loop step by step. Common issues include message history structure, tool_use_id mismatches, and handling parallel tool requests. What would you like to work on?
Module 3 Β· Lesson 3

Tool Choice and Control

Forcing, restricting, and disabling tool use with the tool_choice parameter
How do you control whether Claude must use a tool, may use a tool, or is forbidden from using tools entirely?

When developers at companies like Sourcegraph and Notion built Claude-powered coding and productivity assistants in 2024, they discovered a friction point: Claude sometimes chose to answer from its training data when it should have called a live search tool, and other times tried to call tools when a simple conversational reply was appropriate. Anthropic's tool_choice parameter, documented in the v2 API reference, gives you precise control over this decision.

The tool_choice Parameter

The tool_choice parameter is passed alongside tools in your API request. It accepts an object with a type field that can be one of three values:

type Behaviour When to Use
"auto" Claude decides whether to call a tool or respond directly. Default when tools are provided. General-purpose assistants where tool use is optional context enrichment.
"any" Claude must call at least one tool from the provided list. Structured data extraction pipelines; cases where you always need a tool invocation.
"tool" Claude must call the specific named tool. Guaranteed schema extraction; forcing a particular function regardless of query.
Using tool_choice in Code
# Force Claude to always call one of the available tools response = client.messages.create( model="claude-opus-4-5", max_tokens=1024, tools=tools, tool_choice={"type": "any"}, messages=messages ) # Force Claude to call a SPECIFIC tool by name response = client.messages.create( model="claude-opus-4-5", max_tokens=1024, tools=tools, tool_choice={ "type": "tool", "name": "extract_invoice_data" }, messages=messages )
Disabling Tool Use

To prevent Claude from using tools even when they're defined (e.g., for a sub-prompt that should only reason), omit tools from that specific request, or pass an empty array. There is no explicit "none" tool_choice type β€” just don't include tools at all.

The disable_parallel_tool_use Flag

By default, Claude may request multiple tools in a single response (parallel tool use). This improves latency for independent operations but can complicate your orchestration logic. To force sequential, single-tool calls, set disable_parallel_tool_use: true inside the tool_choice object.

tool_choice={ "type": "auto", "disable_parallel_tool_use": true }
Structured Extraction Pattern

One of the most powerful uses of tool_choice: {type: "tool"} is forcing Claude to extract structured data from unstructured text. Define a tool whose schema matches your desired output format, force Claude to call it, and read the JSON inputs as your extracted data β€” you never even need to execute the tool.

tools = [{ "name": "extract_contact", "description": "Extract contact information from the provided text.", "input_schema": { "type": "object", "properties": { "name": {"type": "string"}, "email": {"type": "string"}, "phone": {"type": "string"} }, "required": ["name"] } }] response = client.messages.create( model="claude-opus-4-5", max_tokens=512, tools=tools, tool_choice={"type": "tool", "name": "extract_contact"}, messages=[{"role": "user", "content": raw_text}] ) # Read the structured output directly from tool inputs extracted = response.content[0].input # β†’ {"name": "Sarah Kim", "email": "s.kim@example.com", "phone": "555-0199"}
Extraction vs Execution

When using tools purely for structured extraction, you don't need to complete the multi-turn loop. Stop after reading response.content[0].input. There's no external function to execute β€” the "tool" is just a schema that shapes Claude's output into parseable JSON.

Prefilling with tool_choice

When you force a specific tool, Claude immediately produces a tool_use block β€” even if the user prompt has nothing to do with that tool. The model will infer reasonable values or fill required fields with null if there's truly no relevant information. This behaviour is predictable and useful for pipeline stages where you always need a structured response.

Lesson 3 Quiz

Tool Choice and Control β€” 4 questions
You want Claude to always call exactly one specific tool named "log_event" regardless of what the user says. Which tool_choice configuration achieves this?
Correct. {"type": "tool", "name": "log_event"} forces Claude to call that specific tool every time.
To force a specific named tool, use {"type": "tool", "name": "tool_name"}. The "any" type forces a tool call but doesn't specify which one.
What is the difference between tool_choice: {type: "auto"} and tool_choice: {type: "any"}?
Correct. "auto" is Claude's natural decision β€” it may or may not call a tool. "any" mandates that at least one tool call happens.
"auto" means Claude decides whether to use a tool or respond directly. "any" forces a tool call β€” Claude must invoke at least one tool in its response.
You're using a tool purely for structured data extraction and have forced a specific tool call. After Claude returns the tool_use block, what should you do?
Correct. For pure extraction, the input field of the tool_use block IS your structured data. No execution or follow-up call required.
When using tools for structured extraction, the tool inputs are your output. Read response.content[0].input directly β€” you don't need to execute anything or make a second call.
How do you prevent Claude from making multiple simultaneous tool calls in a single response?
Correct. Adding disable_parallel_tool_use: true to the tool_choice object ensures Claude makes only one tool call at a time.
The disable_parallel_tool_use flag inside the tool_choice object controls this. Set it to true to force sequential single-tool calls.

Lab 3: Structured Extraction Design

Use forced tool calls to extract structured data from text

Your Task

Practice designing forced tool_choice extraction pipelines. Describe data you want to extract from unstructured text, and the coach will help you design the tool schema and API configuration to reliably get structured JSON output.

Complete at least 3 exchanges to finish this lab.

Try: "I receive unstructured email receipts and need to extract: vendor name, total amount, date, and line items. How do I set this up as a forced tool extraction?" β€” or ask about handling optional vs required fields.
Extraction Pipeline Coach
Lesson 3 Lab
Welcome to the extraction pipeline lab. I'll help you design tool schemas for structured data extraction using tool_choice: {type: "tool"}. Tell me what kind of unstructured text you're working with and what structured output you need β€” we'll build the schema together.
Module 3 Β· Lesson 4

Agentic Tool Loops and Best Practices

Building autonomous multi-step agents that use tools safely and reliably
When Claude can call tools across many turns autonomously, what architectural patterns prevent mistakes β€” and what does Anthropic say about keeping humans in control?

In Anthropic's published model spec, the company explicitly addresses agentic AI: "In agentic contexts, Claude must apply particularly careful judgment about when to proceed versus when to pause and verify with the operator or user, since mistakes may be difficult to reverse, and could have downstream consequences within the same pipeline." This guidance shaped how developers architected Claude-powered agents throughout 2024 β€” not as autonomous systems that run until done, but as collaborative loops with human checkpoints.

The Agent Loop Pattern

An agentic loop is a while-loop that continues until Claude returns stop_reason: "end_turn" (or hits a maximum step count). At each iteration, you check whether Claude wants to use tools, execute them, and feed results back. This is how complex tasks β€” "research this topic and write a report" β€” get broken into steps.

def run_agent(initial_message, tools, max_steps=10): messages = [{"role": "user", "content": initial_message}] steps = 0 while steps < max_steps: response = client.messages.create( model="claude-opus-4-5", max_tokens=4096, tools=tools, messages=messages ) steps += 1 if response.stop_reason == "end_turn": return response.content[0].text # Done if response.stop_reason == "tool_use": # Append assistant turn messages.append({"role": "assistant", "content": response.content}) # Execute all requested tools tool_results = [] for block in response.content: if block.type == "tool_use": result = execute_tool(block.name, block.input) tool_results.append({ "type": "tool_result", "tool_use_id": block.id, "content": json.dumps(result) }) # Append all results in one user message messages.append({"role": "user", "content": tool_results}) return "Max steps reached." # Safety exit
Always Set a Max Steps Limit

Without a step limit, a poorly designed agent can loop indefinitely, accumulating API costs and latency. Set a conservative limit (10–25 steps for most tasks) and surface a "max steps reached" condition to the user. This is not a failure mode to hide β€” it is important feedback that your tool definitions or prompts may need refinement.

The Minimal Footprint Principle

Anthropic's safety guidance recommends that agentic Claude implementations request only the permissions they need, avoid storing sensitive data beyond immediate use, prefer reversible over irreversible actions, and err on the side of doing less and confirming when uncertain about scope.

In practical terms: don't give your agent a "delete_file" tool unless deletion is truly required. If deletion is required, confirm with the user before executing it. Prefer tools that read over tools that write, and tools that write over tools that delete.

1
Minimal permissions
Only expose tools the agent actually needs for the specific task. Unused tools increase attack surface and hallucination risk.
2
Reversibility preference
Design tools to be reversible where possible. "archive" is better than "delete". If irreversibility is unavoidable, add a confirmation step.
3
Checkpoint before high-stakes actions
For destructive or expensive operations, interrupt the loop, surface Claude's plan to a human, and only proceed on explicit confirmation.
4
Log every tool invocation
Record tool name, inputs, and outputs for every step. This is essential for debugging, auditing, and explaining agent behaviour after the fact.
Prompt Injection in Agentic Contexts

When Claude's tools include reading external content β€” web pages, documents, emails β€” that content can contain adversarial instructions attempting to hijack the agent. This is known as prompt injection. Anthropic's documentation explicitly warns about it in agentic contexts.

Mitigations include: using separate system prompt instructions that reinforce Claude's actual goals, validating tool outputs before feeding them back to Claude, being skeptical of tool results that try to redefine Claude's task or permissions, and never including raw untrusted content directly in your system prompt.

Computer Use and Extended Tools

In October 2024 Anthropic released Claude's computer use capability in public beta, extending the tool pattern to controlling a desktop environment. The same principles apply at larger scale: Claude requests actions (move_mouse, click, type), your code executes them, results come back as screenshots. The architecture is identical β€” only the stakes are higher, making the minimal footprint and human-checkpoint principles even more critical.

Streaming with Tool Use

When using streaming (stream=True), tool use events arrive as a sequence of delta events: content_block_start, content_block_delta (with input_json_delta for building up the JSON), and content_block_stop. You must buffer the JSON deltas and parse the complete input after content_block_stop. Attempting to parse partial JSON deltas mid-stream will fail.

Agent loopA while-loop that repeatedly calls Claude, executes tools, and returns results until stop_reason is "end_turn" or a max step limit is reached.
Minimal footprintAnthropic's principle that agentic systems should request only necessary permissions and prefer reversible actions to limit potential damage from errors.
Prompt injectionAn attack where adversarial instructions embedded in tool outputs attempt to redirect Claude's behaviour away from its intended task.
input_json_deltaStreaming event type that delivers partial JSON for tool inputs incrementally; must be buffered before parsing.

Lesson 4 Quiz

Agentic Tool Loops and Best Practices β€” 4 questions
Why should you always set a maximum step limit in an agentic tool loop?
Correct. Without a limit, poorly designed agents can loop indefinitely. The limit is also a diagnostic signal β€” hitting it usually means something needs fixing in your prompts or tools.
The step limit prevents runaway loops that accumulate costs and masks bugs. There is no automatic API limit β€” you must implement this yourself.
According to Anthropic's minimal footprint principle, which tool design approach is preferred for an agent that might need to remove files?
Correct. Prefer reversible actions (archive), require human confirmation before irreversible ones (delete), and only expose destructive tools when genuinely required.
Anthropic recommends preferring reversible actions, using confirmation checkpoints before irreversible operations, and minimising the scope of tools exposed to the agent.
What is prompt injection in an agentic context, and where does it typically originate?
Correct. When agents read external content, that content can contain malicious instructions. Anthropic explicitly flags this risk in agentic context documentation.
Prompt injection in agentic systems occurs when external content (web pages, emails, documents) that Claude reads via tools contains adversarial instructions designed to redirect the agent.
When streaming a tool call response, why must you buffer input_json_delta events before parsing?
Correct. Each input_json_delta is a fragment. You must accumulate all deltas until content_block_stop before parsing the assembled JSON string.
Each delta is a partial JSON fragment. Attempting to parse them individually will raise JSON parse errors. Always wait for content_block_stop before parsing.

Lab 4: Agent Design Review

Design safe, effective agentic tool loops with human checkpoints

Your Task

Work with the coach to design or critique an agentic tool loop. Describe the agent you want to build, and get guidance on tool selection, step limits, human checkpoint placement, and prompt injection defences.

Complete at least 3 exchanges to finish this lab.

Try: "I want to build an agent that browses the web, finds product information, and writes a comparison report. What tools do I need and where should I put safety checkpoints?" β€” or describe an agent you're already building and ask for a safety review.
Agent Design Coach
Lesson 4 Lab
Welcome to the agent design lab. I'll help you design safe, effective agentic tool loops following Anthropic's best practices. Describe the autonomous agent you want to build β€” what's its goal, what tools will it need, and what are the riskiest actions it might take? Let's design it right from the start.

Module 3 Test

Tool Use and Function Calling β€” 15 questions Β· Pass at 80%
1. When Claude outputs a tool_use content block, what must happen next before Claude can produce a final answer?
Correct. Your code runs the function, then sends back the assistant's tool_use turn plus a user tool_result message.
Claude cannot self-execute tools. Your code must execute the function and return the result in the proper message format.
2. Which three fields are required in every Anthropic tool definition?
Correct. Every tool needs a name (for Claude to reference), a description (for Claude to decide when to use it), and an input_schema (for Claude to know what parameters to provide).
The required fields are name, description, and input_schema. These map to what the tool is called, when to use it, and what parameters it accepts.
3. What does stop_reason: "tool_use" tell you?
Correct. "tool_use" stop reason signals that Claude has produced tool_use content blocks and is waiting for results before it can continue.
"tool_use" means Claude is pausing to request tool execution. "end_turn" is the stop reason when Claude has produced a final answer.
4. You send an API request and get back a response with stop_reason "tool_use". You execute the function and want to send the result back. Which message structure is correct?
Correct. The full conversation history must include the original user message, the assistant's tool_use response, and the new user message with tool_result.
You must maintain the complete turn history: original user message β†’ assistant tool_use β†’ user tool_result. The assistant's turn cannot be skipped.
5. What does tool_choice: {type: "any"} guarantee?
Correct. "any" forces at least one tool call but gives Claude freedom to choose which tool from the provided list.
"any" means at least one tool must be called. Claude selects which tool is most appropriate, but it cannot skip tool use entirely.
6. When would you use the structured extraction pattern (forcing a specific tool call but never executing the function)?
Correct. For extraction, the tool is just a JSON schema that constrains Claude's output into a parseable structure. No external function call is needed.
The extraction pattern uses tools as output schemas. You force Claude to call the tool, read the structured inputs it generates, and use those as your parsed data β€” no execution required.
7. Claude requests two tools simultaneously in one response. How do you return both results?
Correct. All results for a given assistant turn must be returned in one user message as separate tool_result blocks with matching IDs.
When Claude makes parallel tool calls, all results must be returned together in a single user message. Each result block must reference its specific tool_use_id.
8. What is the correct way to signal a tool execution error to Claude?
Correct. Always return a tool_result even on failure. The is_error flag lets Claude understand what happened and respond appropriately.
You must always send a tool_result. Use is_error: true with a clear message so Claude can handle the failure gracefully rather than being left without context.
9. According to Anthropic's minimal footprint principle, which action should an agentic system prefer when possible?
Correct. Minimal footprint means reversible actions, minimum permissions, and human confirmation before irreversible steps β€” all to limit potential damage from errors.
Anthropic's minimal footprint principle prioritises reversibility, minimal permissions, and human oversight β€” especially for irreversible or high-stakes actions.
10. What is prompt injection in an agentic Claude workflow?
Correct. Adversarial content in external sources can attempt to override Claude's instructions. Anthropic flags this as a specific risk in agentic contexts.
Prompt injection refers to hidden adversarial instructions in external content β€” web pages, emails, files β€” that Claude retrieves via tools, attempting to hijack its behaviour.
11. What is the purpose of the tool_use block's "id" field (e.g., "toolu_01XxyZ...")?
Correct. The ID is the linkage mechanism. Your tool_result must include this ID in its tool_use_id field so Claude can correlate result with request.
The ID uniquely identifies each tool invocation request. When you return results, the tool_use_id in your tool_result must match this ID exactly.
12. When streaming a tool call response, what must you do with input_json_delta events?
Correct. Each delta is a JSON fragment. Parse only after content_block_stop signals the complete input has been streamed.
input_json_delta events are fragments. Always buffer them and parse the complete assembled string after content_block_stop.
13. How do you prevent Claude from making parallel tool calls in an agentic loop?
Correct. The disable_parallel_tool_use flag in the tool_choice object forces sequential single-tool calls.
Add disable_parallel_tool_use: true to your tool_choice configuration to force Claude to make one tool call at a time.
14. Anthropic's model spec states that in agentic contexts, Claude should "pause and verify" with the operator or user in which scenario?
Correct. Anthropic's guidance explicitly calls for pausing before potentially irreversible actions or when the scope of what was intended is unclear.
The model spec calls for pausing before actions that could be hard to reverse, or when uncertain about scope. This is the human oversight principle in practice.
15. For a structured extraction workflow where you force a specific tool, when should you stop the multi-turn loop?
Correct. For extraction, the tool_use block's input IS your structured data. No follow-up needed β€” stop there and read the result.
In forced extraction mode, the tool inputs contain your structured output. You don't need to complete the loop β€” just read response.content[0].input and you're done.