When would you use Permissions & tool allowlists?

Safe onboarding for junior developers: A team lead wants Claude to help a new hire run linters and tests but prevent accidental reads of .env files or calls to external APIs during pair programming sessions.

When would you use Permissions & tool allowlists?

High-velocity refactoring without approval fatigue: A developer is doing a large multi-file rename refactor and wants Claude to silently write file changes (acceptEdits mode) without prompting on every edit, while still requiring approval for any shell command.

When would you use Permissions & tool allowlists?

Headless CI/CD pipeline automation: A CI job runs Claude Code inside an ephemeral container to auto-fix lint errors and run tests. The pipeline has no TTY, so --permission-mode dontAsk or bypassPermissions is used to eliminate all interactive prompts.

← ContentsClaude Code · intermediate

Permissions & tool allowlists

Permissions and tool allowlists in Claude Code form a security gateway that controls which tools Claude can use automatically, which require explicit human approval, and which are blocked outright. The system evaluates rules in a strict hierarchy: deny rules fire first and block unconditionally, then allow rules grant silent auto-approval, and anything not matched either prompts the user or is blocked depending on the active permission mode. Rules are expressed as strings like 'Bash(npm run test)' or 'Read(~/.zshrc)' and stored in settings.json files at the global (~/.claude/settings.json) or project (.claude/settings.json) level. Permission modes set the overall posture of the session. The default mode ('default') asks before most tool uses. 'acceptEdits' silently approves file read/write operations but still prompts for shell commands. 'bypassPermissions' silently approves everything (hooks can still block actions). 'dontAsk' prevents all tool execution — useful for read-only analysis. These modes can be set via the CLI flag --permission-mode, via the SDK's permissionMode option, or toggled interactively during a session. The feature is mandatory for any autonomous or semi-autonomous Claude Code workflow. Without it, every file write and shell command requires manual approval. With it, developers can define precise safe corridors — for example, allowing npm test but blocking npm install — so Claude can work quickly on permitted tasks while dangerous operations are caught automatically before execution.

When you’d use it

◆Safe onboarding for junior developers — A team lead wants Claude to help a new hire run linters and tests but prevent accidental reads of .env files or calls to external APIs during pair programming sessions.
◆High-velocity refactoring without approval fatigue — A developer is doing a large multi-file rename refactor and wants Claude to silently write file changes (acceptEdits mode) without prompting on every edit, while still requiring approval for any shell command.
◆Headless CI/CD pipeline automation — A CI job runs Claude Code inside an ephemeral container to auto-fix lint errors and run tests. The pipeline has no TTY, so --permission-mode dontAsk or bypassPermissions is used to eliminate all interactive prompts.
◆Enterprise role-based tool access — A security team wants product engineers to freely use GitHub CLI for PRs but to be blocked from SSH-based deploy commands and always prompted before running package manager installs.
◆Long-running agent tasks with minimal interruption — A Max plan user wants Claude to run a multi-hour test suite, fix failures, and summarize results with few interruptions. Auto mode delegates routine approvals to model-based classifiers while flagging genuinely risky actions.

What changed recently

◆2026-06-15 — Claude Agent SDK became available on Pro, Max, Team, and Enterprise plans, enabling programmatic use of permissionMode, allowedTools, and disallowedTools in Python and TypeScript without requiring a separate Console API key.
◆2026-05 — Anthropic doubled Claude Code's five-hour rate limits for Pro, Max, Team, and seat-based Enterprise plans and removed the peak-hours rate reduction for Pro and Max accounts, enabling longer uninterrupted autonomous workflows.
◆2026-03-25 — Auto mode launched for Max plan users. Model-based classifiers handle routine permission approvals automatically, operating as a two-layer system: one layer for prompt injection detection at input and one for exfiltration attempt detection at output. Broad wildcard shell rules are dropped when auto mode is active.
◆2026-03-16 — Desktop extension (MCP / plugin) allowlist feature launched. The allowlist is disabled by default; organizations must activate it and populate it explicitly. An empty array means complete lockdown. Supports exact source matching plus hostPattern and pathPattern regex matching.

This is the short version

The full chapter has three worked examples, the common pitfalls, and the workflow that makes it pay — plus the other 84 features, kept current.

Get Claude Master — $97 →