Tools and MCPs·Task 8.1·Bloom: apply·Difficulty 3/5·9 min read·Updated 2026-07-12

Tool Error Handling and Usage Patterns for CCDV-F

Tool Implementation (4.4%): Tool implementation practices for Claude applications, including tool use and function calling, configuration for external system interaction, tool description writing, error handling, tool usage patterns (agentic harness dispatch, client-side vs. server-side tools, approval patterns), and tool set construction best practices.

SUBy Solomon UdohReviewed by Solomon UdohAI-assisted · human-reviewed
In short
A well-behaved tool returns a structured error Claude can reason about, clearly distinct from a valid empty result. Where the tool runs matters too: client-side tools execute in the caller environment while server-side tools run remotely, changing trust and latency. Sensitive calls should sit behind an approval pattern rather than auto-running.

From calling a tool to calling it well

Once you understand tool use and function calling, the next step is making tools behave reliably when things go wrong or when the action is risky. That is what this knowledge point is about, and because it sits at the apply level on the Claude Certified Developer - Foundations (CCDV-F) exam, you are expected to choose the right pattern for a given situation, not just define terms. Three ideas do the work: structured errors, the client-side versus server-side distinction, and approval gates.

Returning a structured error, not a silent failure

When a tool cannot complete its job, it must tell Claude clearly. The right behaviour is to return a structured error: an outcome the model can read and reason about, explicitly marked as a failure. If a get_invoice tool cannot find the invoice because the service is down, it should return an error saying so, so Claude can retry, apologise, or escalate. The model treats a tool_result as ground truth, so how you shape that result directly steers its next decision.

The critical distinction is between a failure and a valid empty result. These are not the same thing, and conflating them is the central exam trap here. A search that ran correctly and found nothing returned a valid empty result: the answer is "there are zero matches." A search that could not run at all returned a failure: the answer is "I do not know, something broke." If you return the failure as an empty result, Claude concludes there are no matches and moves on, hiding the outage. If you return the empty result as an error, Claude thinks the tool is broken and may retry forever or give up on a perfectly good query. Structured errors keep the two cases separate so the model reasons correctly.

Structured tool error
An outcome a tool returns to Claude that explicitly signals a failure the model can reason about, kept clearly distinct from a valid empty result. A failed lookup and a lookup that found nothing are different signals and must not be reported as each other.

Client-side versus server-side tools

Where a tool actually runs changes its trust profile and its latency, and the exam expects you to reason about that. A client-side tool executes in the caller's own environment: the same process or machine that is orchestrating the conversation. It has direct access to local files, local credentials, and the caller's network position, and it typically runs with low latency because there is no extra hop.

A server-side tool executes remotely, on a separate service the caller reaches over the network. That remote execution changes two things. Trust shifts, because the tool now runs in an environment you may not fully control and the data crosses a boundary to get there. Latency rises, because every call is a network round trip to the remote service. Neither is automatically better; the point is that the choice has consequences. A tool that needs the caller's local context and speed belongs client-side, while a tool that centralises a capability for many callers, or that must run where sensitive systems live, belongs server-side. This same trade-off reappears when you decide between local and networked MCP communication patterns.

2 signals
failure vs valid empty result, kept distinct
client-side
runs local: caller trust, low latency
server-side
runs remote: shifted trust, added latency

Approval patterns for sensitive calls

Not every tool is safe to run the instant Claude requests it. A tool that sends money, deletes records, emails a customer, or changes production configuration is one bad request away from real damage. An approval pattern places a gate between the model's tool_use request and the actual execution: a human confirms the action, or a deterministic check validates it, before the harness runs the call. Only after that gate passes does the tool execute and return a result.

The exam trap here is treating every tool as safe to auto-run. It is tempting to wire all tools onto the same automatic path because it is simpler, but that removes the one safeguard that stops a mistaken or manipulated request from doing harm. The discipline is to classify tools: read-only and low-impact tools can auto-run, while sensitive or destructive ones sit behind an approval gate. Note that this is a request-execute-return loop with a checkpoint inserted, the same loop from tool use and function calling, so the model still only requests, and the gate governs whether your harness actually runs the call.

An approval gate on a sensitive tool call
Loading diagram...
Low-impact tools run straight through; sensitive ones pass through an approval gate first, and a denial comes back as a structured error.

The traps the exam sets

This knowledge point has two closely watched traps, and both are about honesty of signals. The first is returning a valid empty result as an error, or an error as an empty result. A question may describe an agent that keeps insisting a customer has no orders when the order service was actually down, or an agent that retries endlessly against a query that simply has no matches. The cause in both cases is a tool that blurred the line between "nothing found" and "could not run." Returning a structured error for real failures and a clean empty result for genuine emptiness is the fix.

The second trap is treating every tool as safe to auto-run without an approval pattern for sensitive ones. A scenario might show an agent that autonomously issued a refund or deleted a record because the tool was on the automatic path with no gate. The correction is to place sensitive actions behind a human or deterministic approval before execution.

Worked example

A support agent tool searches a knowledge base, and a separate tool issues account credits. Both are wired to auto-run and both return an empty object on any problem.

The knowledge-base search returns an empty object both when it finds no articles and when the search backend times out. Because the harness treats an empty object as "no results," Claude tells customers there is no relevant documentation even during outages, quietly hiding a real failure. The fix is a structured error: the timeout case must return an explicit failure so Claude can say it could not check right now, while a genuine no-match case returns a clean empty result.

The credit-issuing tool is worse. It is on the same auto-run path as the search, so when a manipulated or mistaken request asks Claude to credit an account, the harness executes it immediately with no checkpoint. The fix is an approval pattern: because issuing a credit is sensitive, the call must pass a human confirmation or a deterministic policy check before the harness runs it. If the check denies the request, that denial is returned to Claude as a structured error rather than silently swallowed. Two lessons the exam wants: separate failures from empty results, and never put a sensitive action on the auto-run path.

Common misreadings to avoid

Misconception

If a tool has nothing to return, returning an empty result and returning an error are basically the same.

What's actually true

They are opposite signals. An empty result means the tool ran and found nothing; a structured error means the tool could not run. Swapping them makes Claude either hide an outage or distrust a valid empty answer.

Misconception

Once a tool is defined, it is fine to let Claude auto-run it whenever it asks.

What's actually true

Low-impact tools can auto-run, but sensitive or destructive tools need an approval pattern, a human or deterministic check between the request and execution, or a single bad request can do real harm.

How this is tested on the exam

Domain 8 questions on this knowledge point are scenario-based and ask you to apply judgement. You will see an agent that misreports an outage as an empty result, or one that took a destructive action with no checkpoint, and you must identify the missing pattern. The correct answers come back to the three ideas here: return structured errors distinct from empty results, understand that client-side and server-side execution change trust and latency, and gate sensitive calls behind approval. Master those and you can diagnose the tool-behaviour scenarios the CCDV-F exam favours.

Check your understanding

An agent's inventory-lookup tool returns an empty list both when a product genuinely has zero stock and when the inventory service is unreachable. During an outage, the agent confidently tells customers items are out of stock. What is the best fix?

People also ask

How should a Claude tool report an error?
Return a structured error the model can reason about, clearly marked as a failure and kept distinct from a valid empty result. That lets Claude retry, escalate, or apologise instead of misreading the outcome.
What is the difference between client-side and server-side tools?
Client-side tools run in the caller environment with local access and low latency; server-side tools run remotely, which shifts the trust boundary and adds network latency. The choice depends on where the capability and its data should live.
When do you gate a tool call behind approval?
When the call is sensitive or destructive, such as issuing a refund or deleting data. An approval pattern inserts a human confirmation or deterministic check between the model request and the actual execution.

Watch and learn

Official Anthropic Academy lessons first, then hand-picked walkthroughs. Videos load only when you press play.

No videos curated for this concept yet

We are still curating the best official and community videos for this topic.

References & primary sources

Adaptive study

Master this concept with Archie

Practice it inside an adaptive study session. Archie, your Socratic AI tutor, tracks your mastery with Bayesian Knowledge Tracing and schedules the perfect next review.

Start studying