Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/VineeTagarwal-code/claude-code/llms.txt

Use this file to discover all available pages before exploring further.

Claude Code runs tools on your behalf — reading and writing files, executing shell commands, making network requests. The permissions system gives you precise control over which tools run automatically and which pause to ask for your approval.

How permissions work

Every tool use goes through a permission check before Claude executes it. The outcome is one of:
  • Allow — the tool runs immediately without prompting you
  • Ask — Claude pauses and shows you a confirmation prompt
  • Deny — the tool is blocked and Claude receives an error
The decision is made by evaluating your configured rules against the tool name and its input. If no rule matches, Claude prompts you at the ask level.

Permission rules

Rules are written in a simple syntax: ToolName or ToolName(content).
RuleMatches
BashAny Bash command
Bash(git *)Bash commands starting with git
Bash(npm run *)Bash commands starting with npm run
ReadAny file read
WriteAny file write
mcp__my-serverAll tools from the MCP server named my-server
mcp__my-server__searchThe search tool from my-server
Rules support * as a wildcard that matches any sequence of characters.

Configuring rules in settings

Add rules to the permissions object in your settings file. Rules can be set at the user level (~/.claude/settings.json) or the project level (.claude/settings.json or .claude/settings.local.json). 
{
  "permissions": {
    "allow": [
      "Bash(git *)",
      "Bash(npm run *)",
      "Read",
      "Write"
    ],
    "deny": [
      "Bash(rm -rf *)",
      "Bash(git push --force *)"
    ],
    "ask": [
      "Bash(npm publish)"
    ]
  }
}
permissions.allow
string[]
Tools that run automatically without asking you.
permissions.deny
string[]
Tools that are always blocked. Claude receives an error and cannot proceed.
permissions.ask
string[]
Tools that always prompt for confirmation, even in modes that would otherwise skip prompts.
permissions.defaultMode
"default" | "acceptEdits" | "bypassPermissions" | "dontAsk" | "plan"
Default permission mode when Claude Code starts. See Permission modes below.
permissions.additionalDirectories
string[]
Additional directories to include in the permission scope. By default, Claude can only access files under the current working directory. Add paths here to grant access to directories outside it.
permissions.disableBypassPermissionsMode
"disable"
Set to "disable" to prevent users from entering bypass permissions mode in this project.

Permission modes

You can change how Claude handles permission prompts for an entire session using the permission mode toggle (press Shift+Tab to cycle through modes).
ModeBehavior
defaultAsks for approval on any tool that doesn’t have an explicit allow rule
acceptEditsAutomatically approves file edits within the working directory; still asks for shell commands
bypassPermissionsSkips all prompts — Claude runs tools without asking. Requires explicit acceptance of the warning dialog
dontAskConverts all ask decisions to deny. Claude cannot use tools it doesn’t already have permission for
planRead-only mode: Claude can read and analyze but cannot write files or run commands
bypassPermissions mode turns off all permission prompts. Only use it in trusted environments where you have reviewed the task and understand the risks. Certain safety checks (such as writes to .git/, .claude/, and shell config files) still prompt even in bypass mode.

Approving tools at the prompt

When Claude needs to use a tool that requires approval, you see a prompt similar to: 
Claude wants to run:
  Bash: npm install lodash

[y] Allow once   [Y] Always allow   [n] Deny once   [N] Always deny
Your choices:
  • Allow once — permits this specific invocation; Claude will ask again next time
  • Always allow — adds an allow rule to your local settings for this tool pattern
  • Deny once — blocks this specific invocation; Claude receives an error
  • Always deny — adds a deny rule to your local settings
When you select “Always allow” or “Always deny”, the rule is saved to .claude/settings.local.json in your project (gitignored) so it persists across sessions but doesn’t affect teammates.

The /permissions command

Run /permissions (or /allowed-tools) in a Claude Code session to open the interactive permissions panel. From there you can:
  • View all current allow, deny, and ask rules
  • See which settings file each rule comes from (user, project, local, or managed)
  • Delete rules you no longer want
  • Add new rules

Rule scopes and precedence

Rules from different sources are merged and evaluated together. A deny rule always takes precedence over an allow rule at the same level.
SourceFile
User~/.claude/settings.json
Project (shared).claude/settings.json
Project (local).claude/settings.local.json
CLI argument--allow-tool, --disallow-tool flags
ManagedEnterprise managed settings
Use project settings (.claude/settings.json) to share safe defaults with your team, and local settings (.claude/settings.local.json) for personal rules you don’t want to commit.

Per-project permissions

Project settings let you define a consistent permission policy for everyone working on a codebase. For example, a project that uses make for its build system might allow those commands for all contributors: 
{
  "permissions": {
    "allow": [
      "Bash(make *)",
      "Bash(go build *)",
      "Bash(go test *)",
      "Read",
      "Write"
    ],
    "deny": [
      "Bash(make deploy)"
    ]
  }
}
Commit this file as .claude/settings.json so every developer who clones the repository automatically inherits these rules.

MCP tool permissions

MCP server tools follow the same rule syntax. Use the mcp__serverName prefix to match tools from a specific server: 
{
  "permissions": {
    "allow": [
      "mcp__filesystem",
      "mcp__github__create_issue"
    ],
    "deny": [
      "mcp__filesystem__write_file"
    ]
  }
}

Bypass permissions mode

You can start Claude Code with bypass permissions enabled using the --dangerously-skip-permissions flag: 
claude --dangerously-skip-permissions
This flag sets the initial mode to bypassPermissions and skips the confirmation dialog. It is intended for automated CI/CD environments where you have pre-reviewed the task and there is no interactive terminal. Do not use this flag for interactive sessions on machines with sensitive data.
Even in bypass mode, writes to .git/, .claude/, .vscode/, and shell config files (.bashrc, .zshrc, etc.) still trigger a safety prompt. These paths are intentionally protected to prevent accidental corruption of version control state or your shell environment.

Enterprise permission controls

Enterprise administrators can restrict how users configure permissions through managed settings: 
{
  "permissions": {
    "allow": ["Read", "Bash(git *)"],
    "deny": ["Bash(curl *)"],
    "defaultMode": "default"
  },
  "allowManagedPermissionRulesOnly": true,
  "permissions": {
    "disableBypassPermissionsMode": "disable"
  }
}
  • allowManagedPermissionRulesOnly — only permission rules from managed settings are used; user and project rules are ignored
  • disableBypassPermissionsMode — prevents users from entering bypass mode