Claude Code Permission Modes

Quick answer

Claude Code has three permission modes: default (manual approval for writes and shell commands), auto-accept (every tool call proceeds without prompting), and plan (Claude describes the full plan before running anything). Default is the right starting point. Switch modes with Shift+Tab, or use the --allowedTools and --deniedTools flags for fine-grained control.

Why modes exist

Claude Code is an agent with shell access. It can delete files, push branches, drop databases, and install packages. Permission modes decide how much approval friction sits between the agent and those actions. The right mode depends on how reversible the task is and how much you trust the rules in place.

Default mode

Default is the starting mode for every new session.

What runs without approval:

• Read
• Grep
• Glob
• LS
• Tool calls that only observe the filesystem

What prompts for approval:

• Edit and Write (shows the diff or the new file)
• Bash (shows the exact command)
• NotebookEdit
• Any MCP tool that has write scope

The approval prompt gives four choices:

1. Accept once.
2. Accept and auto-accept similar calls for the rest of the session.
3. Reject.
4. Reject with a message back to Claude explaining why.

Option 2 is the usual pick for repetitive safe calls (git status, pnpm test). Option 4 is how you steer Claude away from a wrong approach without abandoning the session.

Auto-accept mode

Auto-accept removes every approval prompt for the current session. Every tool call runs as soon as Claude issues it.

How to enable it:

1. Press Shift+Tab twice from default mode inside an interactive session.
2. Launch with the --dangerously-skip-permissions flag for headless and CI usage.

When auto-accept is safe:

• In CI pipelines where a hook blocks dangerous bash patterns and tests catch broken code.
• On a throwaway branch or worktree you plan to discard.
• Against a disposable container or sandbox, not your main working tree.
• For refactors where you have already approved the plan and want fast execution.

When auto-accept is dangerous:

• On the main branch of a repo with unsaved work.
• Against a production database or any system with non-reversible side effects.
• Without a PreToolUse hook that blocks destructive shell commands.
• During the first few prompts of a fresh session, before you have seen Claude's approach.

A rule of thumb: if a wrong tool call would take more than 15 minutes to recover from, do not run auto-accept.

Plan mode

Plan mode is the third option. Claude writes out a full plan first, you review and iterate, then you trigger execution.

How to enable it:

1. Press Shift+Tab once from default mode.
2. Ask Claude to "plan before acting" in the first prompt.

The plan includes:

• The files Claude intends to read.
• The files it intends to edit or create.
• The shell commands it intends to run.
• The expected order of operations.

You can revise the plan: change file paths, add steps, drop steps, or tell Claude to split the task across two sessions. Once approved, execution runs in default-mode rules (so destructive calls still prompt).

Plan drift: on very long tasks, Claude sometimes deviates from the approved plan as new information arrives. If you notice drift, interrupt with a message like Stop. Update the plan to reflect what you just learned, then pause for approval again.

Fine-grained control with flags

Beyond whole-session modes, you can allow or deny specific tools.

--allowedTools: a comma-separated list of tool patterns that run without approval even in default mode.

claude --allowedTools "Read,Grep,Glob,Bash(git status),Bash(pnpm test*)"

--deniedTools: a comma-separated list of tool patterns that are blocked outright.

claude --deniedTools "Bash(rm -rf *),Bash(git push --force*),Bash(npm publish*)"

Patterns use tool-name prefixes with optional argument matching:

• Bash: matches any Bash call.
• Bash(*): same.
• Bash(git *): matches any git command.
• Bash(git diff): matches the exact command git diff.
• Bash(pnpm test*): matches commands starting with pnpm test.

More specific patterns win. Bash(git push --force) in deniedTools beats Bash(git ) in allowedTools.

These flags combine with settings.json. A pattern in permissions.allowedTools applies to every session in that scope; the command-line flag applies only to the current session.

Combining modes with hooks

Hooks add a second layer of safety independent of the permission mode. A PreToolUse hook can block any Bash command regardless of the mode, which means auto-accept plus a strong PreToolUse hook can be safer than default mode without one.

Typical hook-plus-auto pattern:

1. Run a PreToolUse hook that blocks destructive patterns.
2. Run a PostToolUse hook that lints and tests after edits.
3. Enable auto-accept for the session.

Now Claude moves fast, the dangerous calls still get blocked by the hook, and any broken code is caught by lint and tests before it matters.

See the hooks reference page for full shell scripts.

Mode by situation

This table is a quick lookup:

Headless and CI usage

In CI you do not have a human to approve prompts. Two flags make Claude Code run unattended:

claude --dangerously-skip-permissions --print "Fix the failing tests and commit."

--dangerously-skip-permissions is the auto-accept equivalent for headless mode. --print runs a single prompt and exits with the final assistant message on stdout.

A CI script with safety rails:

claude \
  --dangerously-skip-permissions \
  --allowedTools "Read,Grep,Glob,Edit,Write,Bash(pnpm *),Bash(git add *),Bash(git commit *)" \
  --deniedTools "Bash(rm *),Bash(git push *),Bash(git reset *)" \
  --print "Update dependencies safely, run tests, and commit if green."

This locks the tool surface down to what is actually needed for the task, so even a confused agent cannot wander off into production-grade damage.

Switching modes mid-session

Shift+Tab cycles through the three interactive modes. The current mode shows in the status bar at the bottom of the session. Cycles:

• Shift+Tab once: default to plan.
• Shift+Tab twice: default to auto-accept.
• Shift+Tab a third time: back to default.

You can also run /status to check the current mode without touching the UI.

Common mistakes

Three patterns come up often:

1. Enabling auto-accept on the main branch, then running Fix the build. Claude edits 30 files, one edit is wrong, the mistake is already committed. Recover with git reset --hard ORIG_HEAD, but only if you remembered to check ORIG_HEAD first.
2. Using plan mode for a one-file change. The overhead is higher than the value. Use plan for tasks that touch 5+ files or run 5+ shell commands.
3. Forgetting that --dangerously-skip-permissions has no safety net beyond hooks. Add hooks before you add the flag.

Permission-mode interaction with tools

Some tool calls are always safe and never prompt regardless of mode: Read, Grep, Glob, LS. Others always prompt in default mode regardless of settings: Write and Edit to files in protected paths. Use permissions.allowedTools to whitelist specific write paths if you want to pre-approve certain directories.