Permissions & Permission Modes
Permissions decide what Claude Code can do without stopping to ask you. Tune them well and you get flow without losing control; tune them badly and you either rubber-stamp everything or drown in prompts.
The three verdicts
Every potential action resolves to one of:
- allow — do it, no prompt.
- ask — pause and ask you (the default for anything not explicitly allowed/denied).
- deny — never, not even if asked.
Rules typically match a tool plus a pattern, e.g. allow Bash(npm run test:*) or deny Read(./.env).
Permission modes
A mode sets the overall posture for a session:
| Mode | Behaviour | Use when |
|---|---|---|
| default / ask | Prompts for anything not pre-allowed | Day-to-day work |
| plan | Read-only; proposes, never acts | Big/risky tasks — see Plan Mode |
| acceptEdits | Auto-accepts file edits | A trusted, well-scoped editing session |
| bypass / yolo | Skips prompts entirely | Sandboxes/CI only — never on a machine with secrets |
:::warning Bypass belongs in a sandbox Running with all prompts off on your real machine is how an agent ends up touching something it shouldn't. Reserve it for disposable environments. See Hardening Autonomous Runs. :::
A sane starting allowlist
The goal: pre-allow the safe, repetitive things; keep destructive things on ask or deny.
- Allow: read files, run your test/lint/build commands, git status/diff.
- Ask: installing dependencies, writing files outside the project, network calls.
- Deny: reading secret files (
.env, key files), force-push,rm -rf.
Store project rules in settings.json (shared) and personal overrides in settings.local.json.
:::tip Let it learn from your prompts Approve the same safe command a few times and you'll know exactly what to add to your allowlist — turning repeated prompts into a one-time rule. :::
Next
- settings.json: The Config System
- Hooks — enforce rules deterministically, beyond allow/deny
- Security & Responsible Use