Test Your MCP Tools Before You Ship Them: A Practical Workflow
By Promptster Team · 2026-06-16
MCP crossed roughly 97M monthly SDK downloads by March 2026. It's no longer an experiment — it's the default way models talk to your tools. Which means the bar just moved: shipping an MCP server is now shipping production infrastructure, and most teams still test it by eyeballing a single happy-path call in Claude Desktop.
That's not testing. That's hoping.
This is the workflow we use to test MCP tools before they ship: schema validation, description quality, and tool-call correctness — three layers, each with a concrete check you can run today.
What "Testing An MCP Tool" Actually Means
A tool isn't just a function. From the model's perspective it's three things, and each can fail independently:
| Layer | What it is | How it fails |
|---|---|---|
| Schema | The JSON Schema for inputs/outputs | Model emits malformed args; required fields missing |
| Description | Natural-language name + description |
Model picks the wrong tool, or skips a tool it needed |
| Behavior | The tool's actual execution | Right tool, right args, wrong result |
A tool can have a perfect schema, execute flawlessly, and still never get called because its description is ambiguous. Testing only the code misses two-thirds of the surface. We covered why this differs from prompt testing in MCP testing vs tool use — this post is the hands-on version.
Layer 1 — Validate The Schema
Start with the cheapest check. Your input schema is a contract; models violate contracts.
# List your server's tools and dump their schemas
npx @modelcontextprotocol/inspector \
--cli http://localhost:8080/mcp \
--method tools/list | jq '.tools[] | {name, inputSchema}'
Run each schema through a JSON Schema validator and check the obvious failure modes:
- Every required field is actually required (and nothing optional is marked required).
- Enums are enumerated — if a param has fixed values, type it as an
enum, not a free string. Models pick from enums far more reliably. - Types are tight —
integernotstringfor counts;format: "date-time"for timestamps. - No silent
additionalProperties: trueunless you mean it.
Takeaway: a loose schema is an invitation for the model to improvise. Tighten it before you test anything else.
Layer 2 — Test The Descriptions (The Part Everyone Skips)
The model reads your description field to decide whether and when to call the tool. Ambiguous descriptions cause two symptoms: the tool gets called when it shouldn't, or it's ignored when it should fire.
The test: write a set of natural prompts that should trigger each tool and a set of decoys that shouldn't, then see if the model routes correctly. You can drive this across multiple providers at once — because tool-selection behavior varies by model, and you ship to whatever model your users run.
We ran exactly this test against an MCP server with refund_order, get_order_status, and a {"tool":null} fall-through, across three providers and three scenarios: a refund request, a status request, and a "thanks" message that should fire no tool at all.
| Scenario | GPT-5.5 | Opus 4.7 | DeepSeek V4 Pro |
|---|---|---|---|
| Refund order A-1042 | refund_order (A-1042) |
refund_order (A-1042) |
refund_order (A-1042) |
| Status of order A-1042 | get_order_status (A-1042) |
get_order_status (A-1042) |
get_order_status (A-1042) |
| "Thanks, that's all" | {"tool":null,"args":{}} |
{"tool":null,"args":{}} |
{"tool":null,"args":{}} |
| Cost (sum of 3 calls) | $0.00452 | $0.00346 | $0.00221 |
All three models routed all three scenarios correctly — the refund request to refund_order with the right order_id, the status request to get_order_status, and the no-op message to {"tool":null,"args":{}}. Argument extraction was clean across the board: A-1042 came through as {"order_id":"A-1042"} every time, not #A-1042 or a stripped variant. All three returned raw JSON — no markdown fences this run.
The split worth flagging is token efficiency. GPT-5.5 and Opus 4.7 emitted tight 17-43-token responses. DeepSeek V4 Pro used 127-233 output tokens per call — roughly 5-7× more — because the model reasoned through the routing decision before emitting the JSON. Same final answer, much longer envelope, and a ~3-5s response time versus ~1-1.7s for the others. Still came out cheapest in dollars, but that latency would matter in an interactive agent loop.
This is the payoff: your MCP tool routing works — but you only know it works because you proved it across the models you ship to, before shipping. If one model routes correctly and another doesn't, the problem is usually description wording, not the model. Rewrite descriptions to be specifications ("Returns the shipping status for a single order by ID") not invitations ("Use this for order stuff"). For which models tend to call tools most reliably, see tool-calling reliability across providers.
Layer 3 — Test The Tool Call End-To-End
Now verify the model produces valid arguments and the tool returns correct results. Build a small fixture set: prompt in, expected tool + expected args out.
# Pseudocode harness
cases = [
{"prompt": "What's the status of order 4821?",
"expect_tool": "get_order_status",
"expect_args": {"order_id": "4821"}},
{"prompt": "Refund order 4821, customer was charged twice",
"expect_tool": "refund_order",
"expect_args": {"order_id": "4821"}},
]
for c in cases:
call = run_with_tools(model, c["prompt"], tools)
assert call.tool == c["expect_tool"], f"wrong tool: {call.tool}"
assert call.args == c["expect_args"], f"wrong args: {call.args}"
Check specifically for:
- Argument extraction — did
order 4821becomeorder_id: "4821"and not"#4821"or4821(int vs string)? - Hallucinated arguments — did the model invent a field the user never gave?
- Multi-tool sequencing — for a task needing two calls, does it chain them in the right order?
The Pre-Ship Checklist
Run this before every MCP server release:
- Schema lints clean — required fields correct, enums used, types tight.
- Descriptions are specifications, not invitations — and contain zero instruction-like text (that's a security issue, not just a quality one).
- Trigger/decoy routing tested across the models you support.
- Argument extraction verified with a fixture set.
- Multi-call sequences behave on at least one composite task.
- Descriptions re-tested after any change — clients cache approvals by name, so a quiet description edit ships unreviewed.
That last point is also a security door. An attacker-controllable description can carry injected instructions — which is exactly the threat we walk through next in prompt injection via MCP tool descriptions.
The Real Lesson
MCP is infrastructure now, so test it like infrastructure. Schemas, descriptions, and tool-call behavior fail independently — validate all three, across the models you actually ship to. The teams shipping reliable MCP servers in 2026 aren't smarter; they just stopped trusting a single happy-path demo.
For tool worth installing, see the best MCP tools for AI coding in 2026. For the conceptual split between testing prompts and testing tools, see MCP testing vs tool use.
Tests run 2026-05-30 via the Promptster /v1/prompts/compare API. Temperatures as noted. Costs computed from the May 2026 pricing.ts.