Vibe Coding
Back to Claude Code

Claude Code / Use

permission mode

Completely understand the default, acceptEdits, plan, auto, dontAsk and bypassPermissions permission modes of Claude Code, as well as the switching methods in CLI, IDE, desktop and web pages.

permission mode key concepts infographic
permission mode key concepts infographic

What does permission mode do?

When Claude Code wants to edit a file, run a shell command, or make a network request, it typically pauses and asks for approval. Permission mode controls how often such pauses occur, and also determines whether a session is more manual review or longer and autonomous.

Choose more supervision for sensitive tasks; fewer interruptions when you already trust the direction and the work environment is controllable. Permissions mode is not a simple "safe/unsafe" switch, but a trade-off between convenience and oversight.

Patterns are just baselines. You can still overlay permission rules on top of it to pre-allow, ask, or deny specific tools. Deny rules and explicit ask rules apply in every mode, including bypassPermissions; allow rules in bypassPermissions usually don't make sense because other actions are already approved.

Available modes

Claude Code officially divides common permission modes into six categories. They determine which actions can be performed without prompting, and in what scenarios they are appropriate.

modeRun without askingmost suitable
defaultRead only. Asked before editing a file, running a shell command, or connecting to the Internet.Entry, sensitive work, repositories requiring step-by-step review.
acceptEditsReading, file editing, and common file system commands.When you're ready to review your changes via an editor or git diff.
planOnly read and explore; used to formulate plans, do not directly edit the source code.Before changing the code, first understand the code base, demolition plan, and review path.
autoAll operations pass through the background security classifier first, and routine prompts are greatly reduced.Long missions, reduced prompt fatigue, trusted directions but still subject to safety checks.
dontAskOnly run pre-approved tools, other calls will be automatically rejected as prompted.Lock down CI, scripted environment, non-interactive execution.
bypassPermissionsAll tool calls are executed directly, skipping permission prompts and security checks.Only isolate containers, VMs, dev containers without host risk.

Protected path exception

Except for bypassPermissions, writes to protected paths are not automatically approved by normal mode. default, acceptEdits, and plan will prompt, auto will hand it over to the classifier, and dontAsk will reject it.

Switch mode

Modes should be switched via CLI parameters, the status bar, the mode selector, or a settings file rather than verbally asking Claude to change modes in chat.

1

Switching within a CLI session

Press Shift+Tab to cycle through default, acceptEdits, and plan. auto will appear after the account requirements are met; bypassPermissions will only be added to the loop after being enabled with the relevant startup flag; dontAsk will not appear in the loop.

Shift+Tab
2

Specified when CLI starts

Use --permission-mode to specify the starting mode for this session. Running non-interactively with -p also uses the same flag.

claude --permission-mode plan
claude --permission-mode acceptEdits
claude --permission-mode dontAsk
3

Set default mode

Configure permissions.defaultMode in the settings file. Note that auto default mode should be placed in user or managed settings, newer versions ignore auto in project or local settings.

{
  "permissions": {
    "defaultMode": "acceptEdits"
  }
}

How to switch between entrances

The UI names of different portals are slightly different, but ultimately map to the same set of permission modes.

claude remote-control --permission-mode acceptEdits
entranceSwitch modeSpecial instructions
CLIShift+Tab or --permission-modedefault -> acceptEdits -> plan is the basic loop; optional mode is inserted according to the enabled state.
VS CodeClick the mode indicator at the bottom of the prompt boxAsk before edits=default,Edit automatically=acceptEdits,Plan mode=plan。
JetBrainsOperate in CLI mode in IDE terminalThe plug-in runs Claude Code in the IDE terminal.
DesktopMode selector next to send buttonAuto and Bypass need to be enabled in Desktop settings to appear.
Web / mobileclaude.ai/code or the drop-down menu next to the mobile prompt boxCloud sessions provide Accept edits, Plan mode, and Auto; Bypass is not available.
Remote ControlPass parameters when drop-down menu or starting hostRuns on the local machine and supports Ask permissions, Auto accept edits, and Plan mode.

acceptEdits

acceptEdits allows Claude to create and edit files in the working directory without prompting for items. It is suitable for the working method of "let Claude make batch changes first, and then you review them uniformly in the IDE or git diff".

In addition to file editing, acceptEdits automatically approves common file system Bash commands such as mkdir, touch, rm, rmdir, mv, cp, sed. Automatic approval is also available when prefixed with secure environment variables or common process wrappers.

Automatic approval scope only applies to paths within the working directory or additionalDirectories. Out-of-scope paths, protected path writes, and other Bash commands will still prompt. Set-Content, Add-Content, Clear-Content, Remove-Item, and common aliases are also automatically approved in scope when the PowerShell tool is enabled.

  • Perfect for when you're ready to review your diffs instead of clicking through the task of approval for each edit.
  • Not suitable for Claude to operate production environments, home directories, or sensitive configurations without supervision.
  • If the command is not a common file system command, you will still return to the prompt process.
claude --permission-mode acceptEdits

plan

Plan mode is used to research and come up with a plan first. Claude can read files, run exploratory shell commands, and write out scenarios, but it won't edit your source code directly.

Entry methods include Shift+Tab, using /plan before a single prompt, or specifying --permission-mode plan when starting the CLI. Press Shift+Tab again to leave plan mode without approving the plan.

When the plan is ready, Claude asks how to proceed. You can approve and enter auto mode, approve and accept edits, approve but review item by item, continue planning and give feedback, or use Ultraplan for browser-based plan review.

Approving the plan will exit plan mode and switch to the corresponding permission mode according to the approval method you selected, and Claude will start editing. Ctrl+G opens the proposed plan in the default text editor, allowing you to modify it directly before execution.

claude --permission-mode plan

# Single prompt to enter planning
/plan Read the payment module first and list the change plan, do not change the file

Set plan as default

You can set permissions.defaultMode = "plan" in .claude/settings.json to let the project analyze first and then change it by default.

auto

Auto mode lets Claude reduce routine permission prompts and have a separate classifier model review risks before actions are performed. It blocks actions that exceed the scope of the request, target unknown infrastructure, or appear to be induced by malicious content.

Auto mode requires Claude Code v2.1.83 or higher. It also encourages Claude to keep working rather than stopping frequently to ask clarifying questions; but Claude may still ask questions when your prompt or skill clearly relies on asking questions.

Auto mode is the research preview capability. It reduces prompts, but does not guarantee security. Suitable for long tasks with credible direction and should not replace manual review of sensitive operations. An explicit ask rule will still force the prompt.

{
  "env": {
    "CLAUDE_CODE_ENABLE_AUTO_MODE": "1"
  },
  "permissions": {
    "defaultMode": "auto"
  }
}
requestDescription
planOfficial documentation lists all plans as available.
AdministratorTeam/Enterprise requires administrator enablement in Claude Code admin settings; can also be disabled via managed settings.
modelAnthropic API supports Claude Opus 4.6+ or Sonnet 4.6; Bedrock, Vertex AI, and Foundry support Opus 4.7/4.8.
providerAnthropic API is available by default; Bedrock, Vertex AI, and Foundry need to explicitly set CLAUDE_CODE_ENABLE_AUTO_MODE.

auto security boundary

Classifiers trust working directories and repository configured remotes by default, other infrastructure is treated as external by default. Administrators can add trusted repositories, buckets, and services through autoMode.environment.

Boundaries that you clearly state in conversations can also serve as stop signals, such as “don’t push” or “wait for my review before deploying.” These boundaries persist until you lift them in subsequent messages; but if context compression loses boundary messages, the effect may be lost. When hard guarantees are required, use deny rules.

If the classifier blocks 3 times in a row, or 20 blocks total in a session, auto mode pauses and resumes the prompt. After approving the prompted action, auto mode will resume. Repeated blocking in non-interactive -p mode aborts the session.

Block by defaultAllowed by default
Download and execute code, such as curl | bash.Local file operations within the working directory.
Send sensitive data to external endpoints.Install dependencies declared in the lock file or manifest.
Production deployment, migration, large-scale cloud storage deletion.Read-only HTTP requests.
Grant IAM or repository permissions to modify shared infrastructure.Push to the branch you started or the branch Claude created.
Force push or push main directly, destroy resources, discard uncommitted changes.Read the .env and send the credentials to its matching API.

Classifier details

Auto mode's classifier processes operations in a fixed order: first apply allow/deny rules, then automatically approve read-only operations and file edits in the working directory, and leave the rest to the classifier, letting Claude try alternatives if blocked.

When entering auto mode, overly broad allow rules are temporarily removed, such as Bash(*), PowerShell(*), wildcard interpreter, package manager run commands, and Agent allow rules. Narrow rules like Bash(npm test) will continue to take effect, and rules that were removed after leaving auto will be restored.

The classifier sees user messages, tool calls, and CLAUDE.md content; tool results are stripped, preventing malicious content in files or web pages from directly manipulating the classifier. The subagent's operation history is inspected before starting, during each operation, and after completion.

Classifier calls count toward token usage and add one round trip before execution. Reads and working directory edits outside protected paths usually skip the classifier, so the main overhead comes from shell commands and network operations.

dontAsk

dontAsk automatically denies every tool call that would otherwise prompt, allowing only operations that match permissions.allow rules and read-only Bash commands.

This makes the session completely non-interactive, suitable for CI pipelines or restricted scripting environments: you define up front what Claude can do, and other operations don't wait for human approval, but are rejected directly.

Explicit ask rules will be rejected instead of prompted under dontAsk. Claude Code on the web's cloud session ignores defaultMode: "dontAsk" to prevent the repository check-in setting from putting the cloud session into non-interactive mode.

claude --permission-mode dontAsk

bypassPermissions

bypassPermissions disables permission prompts and security checks, and tool calls are executed immediately. Officials clearly recommend using it only in isolated containers, VMs, or dev containers without Internet access to ensure that Claude Code cannot harm the host system.

As of v2.1.126, this includes writing to protected paths; earlier versions may still prompt. Explicit ask rules will still force a prompt, and delete operations against the file system root or home will still prompt as a circuit breaker against model errors.

You cannot enter bypassPermissions mid-session without the relevant flag enabled; you must restart and use --permission-mode bypassPermissions, --dangerously-skip-permissions, or --allow-dangerously-skip-permissions. On Linux and macOS, entering this mode is denied when running as root or sudo.

Claude Code on the web does not respect defaultMode: "bypassPermissions" or "dontAsk" in the settings file, so the repository check-in configuration does not allow cloud sessions to automatically bypass permissions.

claude --permission-mode bypassPermissions

# Equivalent high risk flag
claude --dangerously-skip-permissions

Don't think of bypass as auto

bypassPermissions does not provide prompt injection or accidental operation protection. If you want to reduce prompts but retain background security checks, you should give priority to auto mode.

protected path

Claude Code provides additional protection for a set of paths to prevent accidental destruction of repository status, IDE configuration, package manager configuration, and Claude's own settings. permissions.allow does not pre-approval writes to these paths.

Protected directories include .git, .config/git, .vscode, .idea, .husky, .cargo, .devcontainer, .yarn, .mvn, .claude, etc.; .claude/worktrees is an exception because Claude stores his own git worktrees there.

Protected files cover shell configuration, npm/yarn/pnpm/bun configuration, Bazel configuration, pre-commit/lefthook, wrapper properties, .devcontainer.json, copyrightconfig, .mcp.json, .claude.json, etc. The prompt for writing to .claude/ may offer the option "This session allows Claude to edit his own settings".

modeProtected path writing results
default / acceptEdits / planPrompt user for approval.
autoLeave it to the classifier to judge.
dontAskRefuse.
bypassPermissionsAllowed.

Study Checklist

Put the content on this page into real tasks and use the five dimensions of entry, context, permissions, verification and team rules to check whether you have truly mastered it.

Study Checklist

After reading this page, do not just remember the concept name. You should be able to place "permission mode" back into a real Claude Code engineering workflow: where the task starts, what context the system loads, which actions need approval, how the result is verified, and how to roll back when it fails.

If this is a portal or platform page, specifically confirm what contexts this portal can access: local files, cloud repositories, browser logins, team messages, external tools, and whether these contexts are sufficient to complete the verification.

  • Be able to describe in your own words the specific problem this page solves, rather than just reciting the title.
  • Able to write a minimal example task with goals, scope, prohibitions, and acceptance criteria.
  • Be able to determine which information should be put into the current prompt and which should be captured as project rules or configurations.
  • Be able to explain which long-term rules should go into CLAUDE.md, and which runtime behavior should be handled by settings, permissions, Hooks, Skills and MCP.
  • Ability to check diffs, command output, test results, screenshots or PR notes after a task is completed instead of just trusting the natural language summary.

If this page is used for team training, ask learners to complete a small task with Claude Code: read and explain first, submit a plan, make the smallest useful change, and close with real verification commands plus human diff review.