What are the Claude Code permission modes?

Claude Code has 3 permission modes: (1) Default — Claude prompts you before running any potentially destructive tool (file writes, shell commands, git operations). You approve or deny each one. (2) Auto-approve — you pre-configure an allow list of tools/patterns that Claude can run without asking. Everything else still prompts. (3) --dangerously-skip-permissions — bypasses ALL permission prompts. Intended for trusted CI/CD environments only; never use in interactive sessions on shared machines.

How do I set up an allow list in Claude Code?

Add an 'allowedTools' array to your .claude/settings.json (project-level) or ~/.claude/settings.json (global). Each entry is a tool name like 'Bash', 'Edit', or a pattern like 'Bash(npm run **)'. Entries in 'allowedTools' are auto-approved without prompting. Example: {"allowedTools": ["Read", "Glob", "Grep", "Bash(npm run **)", "Bash(git log **)"]}

When should I use --dangerously-skip-permissions?

Only in isolated, non-interactive environments: a CI/CD pipeline running in a Docker container, a sandboxed VM, or a fully automated agent that has no access to sensitive systems. Never use it in an interactive terminal on your dev machine or on any machine with access to production systems. The flag bypasses ALL tool permission checks — file deletion, arbitrary shell commands, git pushes. It's designed for automation, not convenience.

What is the difference between project settings and user settings for permissions?

Project settings (.claude/settings.json in your repo root) apply to everyone who uses Claude Code in that project and are usually committed to version control. User settings (~/.claude/settings.json) apply to you across all projects and are not committed. If the same tool is in both allow lists, the project setting takes precedence for that project. Use project settings for team-wide conventions (e.g., auto-approve read-only tools); use user settings for personal workflow preferences.

How do Claude Code hooks interact with permissions?

Hooks run AFTER permission checks — a tool must be approved before its hook fires. But hooks can also block tool execution: a PreToolUse hook that exits with a non-zero code causes Claude to cancel the tool call, even if permissions would have allowed it. This makes hooks a powerful second layer of safety — you can allow a broad pattern like 'Bash(**) ' in the allow list but use a PreToolUse hook to block specific destructive commands like 'rm -rf' or 'git push --force'.

How do I allow specific bash commands without allowing all bash?

Use glob patterns in the allowedTools entry for Bash: 'Bash(npm run **)' allows any npm run command, 'Bash(git log **)' allows git log but not git push. The pattern matches the full command string. You can also combine with hooks: add 'Bash' to allowedTools (allow all) and use a PreToolUse hook to block specific commands. Example allow list: ["Bash(npm run **)", "Bash(git diff **)", "Bash(git log **)", "Read", "Glob", "Grep"]

What does 'Permission denied' mean in Claude Code?

It means you denied a permission prompt that Claude needed to complete the task. Claude will usually explain what it was trying to do and offer an alternative approach. You can re-approve it in the next prompt, add it to your allow list for future sessions (type 'y' and 'always allow this' when prompted), or use a different approach that doesn't require the denied tool. Denying a permission does not break Claude — it will continue working with the tools it has access to.

Claude Code Permissions

How allow lists, permission modes, and tool access controls work — and how to configure them for your workflow.

The Three Permission Modes

Every Claude Code session uses one of three permission models:

Mode	How it works	When to use
Default safest	Claude prompts before any write, shell, or destructive operation. You approve/deny each.	Interactive dev sessions. Always safe to start here.
Allow list recommended	Pre-approved tools/patterns run without prompting. Everything else still asks.	Reducing prompt fatigue while keeping control of dangerous operations.
`--dangerously-skip-permissions` use with care	Bypasses ALL permission prompts. Claude runs any tool without asking.	Isolated CI/CD pipelines only. Never in interactive sessions.

Setting Up an Allow List

Add an allowedTools array to your settings file. Claude auto-approves anything that matches without prompting.

Project allow list (.claude/settings.json)

Commit this to your repo so the whole team gets the same auto-approvals:

{
  "allowedTools": [
    "Read",
    "Glob",
    "Grep",
    "Bash(npm run **)",
    "Bash(git log **)",
    "Bash(git diff **)",
    "Bash(git status)"
  ]
}

User allow list (~/.claude/settings.json)

Applies to you across all projects. Good for personal workflow preferences:

{
  "allowedTools": [
    "Read",
    "Glob",
    "Grep",
    "Edit",
    "Bash(npm **)",
    "Bash(cargo **)",
    "Bash(python **)"
  ]
}

Pattern syntax

Entry	What it allows
`"Read"`	Any Read tool call (read any file)
`"Bash"`	Any bash command — use with caution
`"Bash(npm run **)"`	Only `npm run <anything>` commands
`"Bash(git log **)"`	Only `git log ...` commands
`"Bash(git diff **)"`	Only `git diff ...` commands

Tip: Run /fewer-permission-prompts inside Claude Code to auto-scan your recent session transcripts and generate an optimized allow list. It identifies which tools you always approve and adds them for you.

Permission Prompts at Runtime

When Claude needs to run a tool not in your allow list, it shows a prompt like:

Claude wants to run: Bash("git push origin main")
Allow? [y/n/always/never]

y — approve once
n — deny; Claude will try an alternative approach
always — approve now and add to your allow list permanently
never — deny now and add to your deny list permanently

Using --dangerously-skip-permissions

This flag bypasses all permission prompts. Claude runs every tool — file deletes, shell commands, git pushes — without asking.

claude --dangerously-skip-permissions "refactor auth module and run tests"

	Safe ✓	Unsafe ✗
CI/CD Docker container (isolated)	✓
Sandboxed VM with no sensitive data	✓
Your dev machine with AWS credentials		✗
Shared machines / SSH servers		✗
Any machine with production access		✗

Why the name? The verbose flag name is intentional — it forces you to think about what you're doing. If you find yourself typing it in an interactive session, that's a signal to use an allow list instead.

Hooks as a Second Safety Layer

Even with a broad allow list, you can use hooks to block specific dangerous commands. A PreToolUse hook that exits non-zero cancels the tool call before it runs.

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{
        "type": "command",
        "command": "bash -c 'echo \"$CLAUDE_TOOL_INPUT\" | grep -qE \"(rm -rf|git push --force|DROP TABLE)\" && exit 1 || exit 0'"
      }]
    }]
  }
}

This allows Bash broadly in the allow list but blocks rm -rf, force-push, and SQL drops.

Deny Lists

The inverse of an allow list: tools you never want Claude to use. Add them to bannedTools:

{
  "bannedTools": [
    "Bash(git push **)",
    "Bash(rm -rf **)"
  ]
}

Banned tools are blocked regardless of what you type at a permission prompt — Claude won't even ask.

Checking What's Currently Allowed

Run /config inside Claude Code to see the active settings for your current session, including the resolved allow list (merged from project + user settings).

Related Guides

Claude Code Hooks — run shell commands on tool events; block calls pre-execution
Setup Guide — install, configure, and run your first session
Parallel Agents with Worktrees — run multiple Claude agents on isolated branches
Full Cheatsheet — all CLI flags, slash commands, keyboard shortcuts
All Claude Code Skills — back to the full directory

Claude Code Permissions

The Three Permission Modes

Setting Up an Allow List

Project allow list (.claude/settings.json)

User allow list (~/.claude/settings.json)

Pattern syntax

Permission Prompts at Runtime

Using --dangerously-skip-permissions

Hooks as a Second Safety Layer

Deny Lists

Checking What's Currently Allowed

Related Guides

More Claude Code Tools