MCP Tool Permissions and Security

MCP tools follow the same permission model as Claude Code's built-in tools. Learn the permission syntax, how to scope rules per-project vs globally, and the destructive operation audit every new server requires.

Quick Reference

→Permission syntax: mcp__serverName__toolName (double underscore separators)
→Allow all tools from a server: mcp__github__*
→Allow one specific tool: mcp__postgres__query
→Deny dangerous operations: mcp__postgres__execute (for DROP/DELETE)
→Per-project: .claude/settings.json in repo root
→Global: ~/.claude/settings.json
→First action with any new server: audit its destructive tools and add deny rules

The Permission Syntax

MCP tool permissions use the same allow/deny syntax as built-in tool permissions in settings.json. The pattern is mcp__serverName__toolName — two underscores between each segment.

MCP permissions in .claude/settings.json

▸mcp__github__* — allow every tool the GitHub server exposes
▸mcp__postgres__query — allow only the read-only query tool
▸mcp__postgres__execute — deny the tool that can run arbitrary SQL (including DROP/DELETE)
▸Deny rules take precedence over allow rules
▸A server with no explicit rules requires per-prompt approval for each tool call

Per-Project vs Global Permissions

MCP permissions can be scoped at two levels, following the same config hierarchy as the rest of Claude Code settings:

The Destructive Operation Audit

Every time you add a new MCP server, before using it in any real session, audit its tool list for destructive operations. Run /mcp and expand the server to see every tool it exposes.

Sign in to read this article

This is a premium article. Sign in with your Google account to continue.