Structured Outputs & Tool Calling: Making LLMs Reliable in Production

The first time I tried to get an LLM to return structured data in production, I did what most people do: I wrote a prompt that said "respond only with valid JSON" and called it a day. It worked in testing: 47 out of 50 test cases passed. The three failures were edge cases: a model that added a markdown code fence around the JSON (\``json\n{...}````), one that appended "Hope this helps!" after the closing brace, and one that returned a JavaScript object literal instead of JSON (single-quoted keys). I shipped it anyway. Within two days of prod traffic, we had a 4.3% error rate on the parsing step. At 50,000 daily requests, that was 2,150 silent failures per day.

The fix wasn't better prompting. The fix was understanding that "respond with JSON" is a suggestion to a language model, not a contract. Modern APIs give you actual contracts if you use them correctly.

This post covers the two mechanisms that turn probabilistic LLM outputs into something you can build reliable systems on: structured outputs (constrained generation that guarantees a schema) and tool calling (a typed function-dispatch protocol). I'll show you the architecture, the failure modes I've hit in production, and the implementation patterns that actually hold up at scale.

Why "Just Prompt for JSON" Fails

Before the structured output APIs existed, the standard approach was prompt-based JSON extraction. It fails in predictable ways, and understanding why helps you appreciate what the newer approach actually solves.

When an LLM generates text, it produces tokens one at a time, sampling from a probability distribution over its vocabulary. There is no constraint forcing token sequences to be valid JSON. The model has simply learned that JSON-like sequences often follow "respond with JSON" instructions. But this is correlation, not a grammar enforcer.

The failure modes I've catalogued across production systems:

Markdown fencing. Models trained with chat formatting learn to wrap code blocks in backticks. The instruction "respond with JSON" conflicts with the "format code blocks" pattern the model learned. Result: ```json\n{...}\n```. Regex stripping works until the model nests code blocks inside the JSON strings.

Trailing commentary. The model completes the JSON object and then adds "Let me know if you need any changes!" (valid behavior for a chat model, invalid for a structured data pipeline).

Schema drift under long context. You define a schema in the system prompt. Across a long conversation, the model's attention to the schema weakens. By message 15, it starts omitting optional fields, then required ones.

Type coercion ambiguity. The model returns "count": "5" instead of "count": 5. Your downstream code does parseInt() and appears to work, until count is "N/A" and parseInt returns NaN.

Null vs. absent. The model omits a field versus setting it to null. These are semantically different in most schemas, and the model has no native concept of "required field."

None of these are fixable by better prompting alone, because the root issue is that text generation has no schema awareness. Constrained generation does.

flowchart TD A[User Prompt] --> B[LLM Token Generation] B --> C{Output Type} C -->|Unconstrained| D[Raw Text Response] C -->|Structured Output| E[Schema-Constrained Tokens] D --> F{Parse Attempt} F -->|Success ~96%| G[Application Logic] F -->|Failure ~4%| H[Error / Silent Drop] E --> I[Guaranteed Valid Schema] I --> G style H fill:#ff6b6b,color:#fff style I fill:#51cf66,color:#fff style G fill:#339af0,color:#fff

How Constrained Generation Works

The technical mechanism behind structured outputs (as implemented by OpenAI, Anthropic, Google, and most inference frameworks) is logit biasing or grammar-constrained decoding.

At each generation step, the model produces a logit distribution over its vocabulary (typically 50k–100k tokens). Normally, you sample from this distribution. With constrained generation, you apply a mask: tokens that would produce invalid output according to the current grammar state are forced to zero probability before sampling.

The grammar is derived from your schema (JSON Schema, Pydantic model, TypeScript interface). A finite state machine tracks which tokens are valid given the output generated so far. If you're inside a JSON string value and the schema says this field is type: integer, the FSM will only allow digit characters and the closing quote: no letters, no null, no array brackets.

This means the model cannot physically produce malformed output relative to your schema. The output is mathematically guaranteed to parse. The tradeoff: the model's expressiveness within constrained fields is unaffected; it can still return nonsense integers that happen to be valid JSON. The constraint is structural, not semantic.

import anthropic
import json

client = anthropic.Anthropic()

# Using tool_use as structured output (Anthropic's mechanism)
response = client.messages.create(
    model="claude-opus-4-7",
    max_tokens=1024,
    tools=[{
        "name": "extract_order_info",
        "description": "Extract structured order information from customer message",
        "input_schema": {
            "type": "object",
            "properties": {
                "product_id": {"type": "string"},
                "quantity": {"type": "integer", "minimum": 1},
                "shipping_tier": {
                    "type": "string",
                    "enum": ["standard", "express", "overnight"]
                },
                "special_instructions": {
                    "type": ["string", "null"],
                    "description": "Any special handling requests"
                }
            },
            "required": ["product_id", "quantity", "shipping_tier"]
        }
    }],
    tool_choice={"type": "tool", "name": "extract_order_info"},
    messages=[{
        "role": "user",
        "content": "I need 3 units of SKU-4821, ship express, and please leave at door"
    }]
)

tool_call = response.content[0]
order_data = tool_call.input  # Already a Python dict, guaranteed to match schema
print(json.dumps(order_data, indent=2))

{
  "product_id": "SKU-4821",
  "quantity": 3,
  "shipping_tier": "express",
  "special_instructions": "please leave at door"
}

The tool_call.input is already a parsed Python dict (no json.loads(), no try/except, no regex cleanup). The SDK handles deserialization and schema validation before the object reaches your code.

Tool Calling: A Typed Function-Dispatch Protocol

Tool calling is often described as "giving the LLM access to functions," but that framing understates what it actually is. Tool calling is a typed, turn-based protocol for dispatching function calls from within a language model's reasoning loop.

The key distinction from structured outputs: structured outputs control what the model returns. Tool calling controls what the model requests: the model signals "I need the result of function X with these arguments," your application executes X, and the result flows back into the model's context for the next reasoning step.

This separation of concerns (model decides, your code executes) is what makes tool calling safe. The LLM cannot directly call your database. It can only request that your code do so, and your code can validate, rate-limit, and log every request.

sequenceDiagram participant U as User participant L as LLM participant O as Orchestrator participant T as Tools U->>O: "What's the weather in Berlin and should I reschedule my 2pm?" O->>L: User message + tool definitions L->>O: tool_use: get_weather(location="Berlin") O->>T: Execute get_weather("Berlin") T->>O: {"temp": 8, "conditions": "rain", "wind_kph": 32} O->>L: tool_result: weather data L->>O: tool_use: get_calendar(date="today", time="14:00") O->>T: Execute get_calendar(...) T->>O: {"event": "Product review", "attendees": 6, "host": false} O->>L: tool_result: calendar data L->>O: "It's 8°C and raining heavily — yes, I'd suggest rescheduling. Your 2pm is a 6-person product review where you're not the host, so send a reschedule request to the organizer." O->>U: Final response

The orchestrator is doing real work here: executing tools, handling errors, routing results back to the model. The LLM is the reasoning engine; your code is the execution engine.

Defining Tools That Work

The quality of your tool definitions determines how reliably the model uses them. Three rules I've learned by breaking them:

Be specific in descriptions. The model uses your description to decide when to call the tool. "Get data" is useless. "Get the current weather conditions including temperature (°C), precipitation chance, and wind speed for a specific city" tells the model exactly what it will receive.

Mirror your actual function signatures. If your Python function raises ValueError when date is in the past, say so in the schema description: "The calendar date to query. Must be today or a future date." The model will avoid calling the tool with invalid arguments more often.

Keep tools focused. A tool that does five things forces the model to understand five things simultaneously. A get_order_status tool that returns only status information is faster to call, easier to test, and the model makes fewer mistakes with it than a get_order_info tool that also returns customer details, shipping address, and payment history.

tools = [
    {
        "name": "get_order_status",
        "description": (
            "Get the current fulfillment status of a specific order. "
            "Returns status (pending/processing/shipped/delivered/cancelled), "
            "estimated delivery date if shipped, and tracking number if available. "
            "Use this when the user asks about where their order is or when it will arrive."
        ),
        "input_schema": {
            "type": "object",
            "properties": {
                "order_id": {
                    "type": "string",
                    "description": "The order ID, format ORD-XXXXXXXXX"
                }
            },
            "required": ["order_id"]
        }
    }
]

This description tells the model three things: what data comes back, when to call this tool versus another, and what format the input should be. That third point matters: models make format errors on IDs far less often when the expected format is in the description.

Implementation Guide: Production Patterns

Pattern 1: Parallel Tool Calls

Modern APIs support parallel tool execution, allowing the model to request multiple tools in a single turn. This matters for latency: a customer support agent answering "What's the status of my last three orders?" should fire three get_order_status calls simultaneously, not sequentially.

import asyncio
import anthropic

client = anthropic.Anthropic()

async def execute_tool(tool_name: str, tool_input: dict) -> str:
    """Dispatch tool calls to their implementations."""
    match tool_name:
        case "get_order_status":
            return await get_order_status(tool_input["order_id"])
        case "get_product_info":
            return await get_product_info(tool_input["product_id"])
        case _:
            raise ValueError(f"Unknown tool: {tool_name}")

async def run_agent_turn(messages: list, tools: list) -> str:
    response = client.messages.create(
        model="claude-opus-4-7",
        max_tokens=2048,
        tools=tools,
        messages=messages
    )

    if response.stop_reason != "tool_use":
        return response.content[0].text

    # Collect all tool calls from this turn
    tool_calls = [b for b in response.content if b.type == "tool_use"]

    # Execute all tool calls in parallel
    results = await asyncio.gather(*[
        execute_tool(tc.name, tc.input) for tc in tool_calls
    ])

    # Build tool_result messages
    tool_results = [
        {"type": "tool_result", "tool_use_id": tc.id, "content": result}
        for tc, result in zip(tool_calls, results)
    ]

    # Continue the conversation with tool results
    messages = messages + [
        {"role": "assistant", "content": response.content},
        {"role": "user", "content": tool_results}
    ]

    return await run_agent_turn(messages, tools)

$ python benchmark_parallel_tools.py --orders 3
Sequential execution:  847ms (3 × 282ms avg)
Parallel execution:    291ms (282ms max + 9ms overhead)
Speedup: 2.91×

The benchmark on a c7i.2xlarge against a mock order service shows near-linear speedup. Real-world gains depend on tool latency variance, but for I/O-bound tools (database queries, API calls), parallel execution almost always wins.

Pattern 2: Typed Tool Dispatch with Pydantic

Manual schema definitions get out of sync with implementations. Generating them from Pydantic models keeps your type system and your LLM schema as a single source of truth.

from pydantic import BaseModel, Field
from typing import Literal
import json

class GetOrderStatusInput(BaseModel):
    order_id: str = Field(
        description="The order ID in format ORD-XXXXXXXXX"
    )

class SearchProductsInput(BaseModel):
    query: str = Field(description="Natural language search query")
    category: Literal["electronics", "clothing", "home", "all"] = Field(
        default="all",
        description="Product category to filter results"
    )
    max_results: int = Field(
        default=5,
        ge=1,
        le=20,
        description="Maximum number of results to return (1-20)"
    )

def pydantic_to_tool(model: type[BaseModel], name: str, description: str) -> dict:
    schema = model.model_json_schema()
    # Strip Pydantic metadata that confuses LLM schema parsers
    schema.pop("title", None)
    for prop in schema.get("properties", {}).values():
        prop.pop("title", None)
    return {
        "name": name,
        "description": description,
        "input_schema": schema
    }

tools = [
    pydantic_to_tool(
        GetOrderStatusInput,
        "get_order_status",
        "Get current fulfillment status and tracking info for an order."
    ),
    pydantic_to_tool(
        SearchProductsInput,
        "search_products",
        "Search the product catalog. Use when the user wants to find or browse products."
    )
]

Now your tool dispatch can also validate inputs:

def dispatch_tool(tool_name: str, raw_input: dict) -> str:
    match tool_name:
        case "get_order_status":
            validated = GetOrderStatusInput(**raw_input)  # raises if invalid
            return get_order_status(validated.order_id)
        case "search_products":
            validated = SearchProductsInput(**raw_input)
            return search_products(validated.query, validated.category, validated.max_results)

The Pydantic validation layer catches the cases where a model hallucinates input values that are structurally valid JSON but semantically wrong, such as max_results: 500 when your schema says maximum 20.

flowchart LR A[Pydantic Model] -->|model_json_schema| B[JSON Schema] B -->|tools param| C[LLM API] C -->|tool_use block| D[raw input dict] D -->|Model validation| E{Valid?} E -->|Yes| F[Execute Tool] E -->|No| G[Return error to LLM] F --> H[Tool Result] G --> C style E fill:#ffd43b,color:#000 style F fill:#51cf66,color:#fff style G fill:#ff6b6b,color:#fff

The Gotcha That Burned Us: Tool Result Size

There is a non-obvious production failure that won't appear in your dev environment: tool results that grow in production.

We shipped a customer support agent with a get_customer_history tool. In testing, customers had 3–5 orders. In production, we had customers with 847 orders. Each order record was ~400 tokens of JSON. That's 338,000 tokens in a single tool result. On a model with a 200,000-token context window, the response succeeded, but the next LLM call had essentially no room for reasoning. The symptoms: the model started responding with vague, confused answers. No errors in the logs, no exceptions. Just a gradual degradation in response quality as the context filled up. It took four days to isolate.

The fix is to always paginate and truncate tool results at the boundary:

def get_customer_history(customer_id: str, max_orders: int = 10) -> str:
    orders = db.get_orders(customer_id, limit=max_orders)
    total = db.count_orders(customer_id)
    return json.dumps({
        "orders": [o.to_summary_dict() for o in orders],  # summaries, not full records
        "showing": len(orders),
        "total": total,
        "note": f"Showing {len(orders)} most recent of {total} total orders."
    })

Set a hard cap of ~2,000 tokens per tool result. Use summary representations. Return pagination metadata so the model can request more if needed.

Choosing Between Structured Outputs and Tool Calling

These two mechanisms solve different problems. Choosing the wrong one is a common source of unnecessary complexity.

Scenario	Use Structured Outputs	Use Tool Calling
Extract fields from user input	✓
Classify intent / sentiment	✓
Generate a typed data record	✓
Look up current data (weather, stock, order status)		✓
Write to a database or external system		✓
Multi-step reasoning requiring external info		✓
One-shot transformation (input → typed output)	✓
Agent that takes actions in the world		✓

The rule of thumb: if the model has all the information it needs to produce the output, use structured outputs. If the model needs to fetch or write information to produce the output, use tool calling.

A common antipattern is using tool calling for structured extraction: defining a format_response tool that the model always calls at the end, with the tool's schema acting as the output schema. This works, but it's slower (one extra turn), more expensive, and semantically confusing. Use response_format: json_schema or Anthropic's tool_choice: {"type": "tool"} pattern with a dedicated extraction tool, but reserve actual tool calling for actual side-effectful operations.

Production Considerations

Latency Budget

Tool-calling agents have a fundamentally different latency profile from single-turn completions. Each tool execution round-trip adds:

• LLM inference time to decide which tool to call
• Network round-trip to your tool server
• Tool execution time (database query, API call)
• Another LLM inference to process the result

For a 3-tool sequential chain on Claude Opus 4.7: ~3.8s median on warm requests. For the same tools run in parallel (where the model requests them all at once): ~1.6s median. The delta at p99 is larger: sequential chains have a long tail from tool error retries.

Track tool_rounds as a metric in your observability layer. If a query is taking 5+ tool rounds, something is either underspecified in your tool definitions (the model is exploring) or the task should have been broken into smaller, more focused agents.

Error Handling

Tool errors should be returned to the model, not raised as exceptions. The model can often recover: it will try a different tool, ask the user for clarification, or route around the failure.

async def safe_execute_tool(tool_name: str, tool_input: dict) -> str:
    try:
        result = await execute_tool(tool_name, tool_input)
        return json.dumps({"success": True, "data": result})
    except ToolNotFoundError:
        return json.dumps({"success": False, "error": f"Tool '{tool_name}' not available"})
    except ValidationError as e:
        return json.dumps({"success": False, "error": f"Invalid arguments: {e.errors()}"})
    except ExternalServiceError as e:
        return json.dumps({"success": False, "error": f"Service unavailable: {str(e)}"})

The model treats a success: false result as information. In practice, Claude and GPT-4o will often rephrase the request or try a fallback tool when they receive a structured error. The system degrades gracefully instead of hard-crashing.

Schema Versioning

Your tool schemas will evolve. Adding optional fields is safe. Removing required fields or changing types is breaking. Treat your tool schema like an API contract: use semantic versioning, and maintain backward compatibility with a deprecation notice in the description before removing fields.

When you add a new tool, old clients running in production will suddenly have the tool available in their context. This is usually fine, but watch for behavior changes, since a new tool can activate more often than expected, adding latency to queries that didn't need it.

Conclusion

Structured outputs and tool calling are the two primitives that close the gap between "LLM demo" and "production system." Structured outputs remove parsing uncertainty by constraining token generation to a valid schema. Tool calling gives the model a safe, typed mechanism to request actions your code executes.

The mental model that's served me best: treat the LLM as a reasoning function and tool calling as its I/O interface. The model reasons; your code acts. That separation is what makes the system auditable, testable, and safe to put in front of users.

The patterns in this post — parallel tool execution, Pydantic-derived schemas, result size caps, structured error returns — aren't sophisticated. They're the boring foundations that make the interesting parts work reliably. Get them right early, because retrofitting them into a production agent is a worse day than building them in from the start.

Working code for all examples in this post: github.com/amtocbot-droid/amtocbot-examples/tree/main/structured-outputs-tool-calling

---

Sources

1. Anthropic Tool Use Documentation — Official reference for Anthropic's tool calling API and schema format.
2. OpenAI Structured Outputs Guide — Technical explanation of constrained decoding and JSON Schema enforcement.
3. Efficient Guided Generation for Large Language Models (Willard & Louf, 2023) — The paper behind the FSM-based constrained generation approach used in Outlines and adopted by major inference frameworks.
4. Building Effective Agents — Anthropic Cookbook — Production patterns for multi-tool agent orchestration.
5. Pydantic v2 JSON Schema Generation — Reference for using Pydantic models as LLM tool schema sources.

About the Author

Toc Am

Founder of AmtocSoft. Writing practical deep-dives on AI engineering, cloud architecture, and developer tooling. Previously built backend systems at scale. Reviews every post published under this byline.

LinkedIn X / Twitter

Published: 2026-04-18 · Written with AI assistance, reviewed by Toc Am.

☕ Buy Me a Coffee · 🔔 YouTube · 💼 LinkedIn · 🐦 X/Twitter