datarekha

OpenAI Agents SDK: handoffs & guardrails

A lightweight, production-minded agent framework: Agents, Runner, Tools, Handoffs, Guardrails, and Sessions. The default starting point for many production agentic systems in 2026.

8 min read Intermediate Agentic AI Lesson 24 of 42

What you'll learn

  • The core primitives — Agent, Runner, tools, handoffs, guardrails, sessions
  • How handoffs route a task between specialized agents
  • Where input/output guardrails sit and why they matter

Before you start

What agentic AI means Agentic AI · lesson Function/tool calling Generative AI · lesson

After a wave of heavy frameworks, the OpenAI Agents SDK went the other way: small, explicit, few abstractions. In 2026 it’s a common default for production-grade agents, precisely because there’s so little magic — you can read the whole mental model in one lesson. (It’s provider-flexible too, not OpenAI-only.)

Five primitives

  • Agent — an LLM plus instructions, a set of tools, and optionally some handoffs. That’s it.
  • Runner — runs the agent loop: call the model, run any tool it picked, feed the result back, repeat until a final answer.
  • Tools — Python functions exposed to the agent (plus hosted tools and MCP servers).
  • Handoffs — one agent can delegate the conversation to another, more specialized agent. A handoff is literally implemented as a tool call (transfer_to_X), so it shows up in the trace like any other action.
  • Guardrails — input and output checks that run alongside the agent and can halt it (e.g. block off-topic input, validate output) — see prompt injection & guardrails.
  • Sessions — automatic conversation history across runs, so you don’t hand-thread state.

Handoffs: a triage agent routing to specialists

The signature pattern is handoffs: a cheap triage agent classifies the request and transfers to the right specialist.

Triage agentclassifies the requestBilling agentTechnical agenttransfer_to_billingtransfer_to_technicalguardrails wrap allinput check →agent run →output check
A handoff is a transfer tool call; guardrails run input/output checks around the whole thing.
from agents import Agent, Runner, input_guardrail, GuardrailFunctionOutput

billing = Agent(name="Billing", instructions="Handle refunds and invoices.")
technical = Agent(name="Technical", instructions="Handle bugs and how-tos.")

@input_guardrail
async def on_topic(ctx, agent, user_input) -> GuardrailFunctionOutput:
    ok = "support" in user_input.lower() or True   # your real check here
    return GuardrailFunctionOutput(tripwire_triggered=not ok, output_info={})

triage = Agent(
    name="Triage",
    instructions="Route the user to Billing or Technical.",
    handoffs=[billing, technical],          # delegate to a specialist
    input_guardrails=[on_topic],            # block off-topic before running
)

# result = await Runner.run(triage, "I want a refund on last month's invoice")
# → triage calls transfer_to_billing; Billing answers. The handoff is in the trace.

Quick check

Quick check

0/3
Q1What is a 'handoff' in the OpenAI Agents SDK?
Q2Where do guardrails run in the SDK?
Q3Why do teams choose the OpenAI Agents SDK for production?

Next

Whatever framework you pick, production agents need measurement and limits: evaluating agents, observability, and cost control.

Sign in to track your progress

Completed lessons, your XP, level, and streak save to your account — it's free and takes a few seconds.

Practice this in an interview

All questions
What are the major security risks of deploying autonomous agents?

Key risks include prompt injection, especially indirect injection via tool or retrieval outputs, hijacking the agent, excessive tool permissions enabling damaging actions, data exfiltration, confused-deputy privilege escalation, and unbounded loops driving cost or harm. Mitigations include least-privilege tools, sandboxing, input and output guardrails, human-in-the-loop approval for sensitive actions, and audit logging.

What is an AI agent, and how does it differ from a single LLM call?

An agent is an LLM placed in a loop where it reasons, chooses and calls tools or actions, observes the results, and repeats until a goal is met, rather than producing one response and stopping. The key differences are autonomy, tool use, memory and state, and multi-step control flow driven by the model's own decisions.

How do you operationalize responsible AI, and what changes under the EU AI Act for a high-risk system?

Operationalizing responsible AI means turning principles like fairness, transparency, and accountability into concrete, automated controls: bias and fairness tests in the pipeline, data and model documentation, human oversight, and continuous monitoring with audit trails. Under the EU AI Act, high-risk systems carry specific obligations including data governance and bias assessment, risk management, technical documentation, logging, human oversight, and post-market monitoring. The practical shift is that fairness and governance become gated, evidenced requirements rather than optional add-ons.

How do function/tool calling and LLM agents work at a high level?

Tool calling extends the LLM's output space to include structured function invocations. The model emits a JSON object naming a tool and its arguments; the runtime executes the tool and feeds the result back as a new message. An agent is a loop that repeats this cycle — observe, think, act — until the task is complete or a stopping condition is met.

Related lessons

AGENTS.md, Skills & Tool Calls OpenAI and Anthropic SDKs The Agent Harness ADK workflow agents — sequential, parallel, loop

Explore further

Skip to content