The 6 Permission Modes — Choosing the Right Trust Level

Claude Code ships with six permission modes that span a spectrum from read-only caution to unrestricted automation. Knowing when to use each one — and why — is the difference between a safe workflow and a costly mistake.

Quick Reference

→default: read-only tools auto-approved, everything else prompts
→acceptEdits: reads + file edits auto-approved, no prompting for common FS ops
→plan: read-only research mode, no code changes allowed
→auto: background safety classifier approves safe actions (Max/Team/Enterprise)
→dontAsk: only explicit allowlist items run — everything else is auto-denied
→bypassPermissions: no prompts except protected paths — containers only
→Shift+Tab cycles through default → acceptEdits → plan in any session
→Set defaultMode in settings.json to persist your preferred starting mode

Why Modes Exist

Every environment Claude Code runs in has a different risk profile. A throwaway container in CI is not your production database server. A personal laptop mid-debugging session is not an unattended overnight agent run. Permission modes let you match Claude's autonomy level to the actual risk of the environment — without reconfiguring your allowlist from scratch every time.

Think of modes as presets: each one bundles a set of auto-approve and auto-deny decisions so you don't have to specify each one individually. You pick the mode that fits your context, add targeted allow/deny rules on top, and move.

Modes vs Rules

Modes control the baseline behavior. Allowlists and denylists layer on top. A mode decides what happens to unspecified actions; explicit rules override the mode for specific ones. Both matter, but get the mode right first.

The Six Modes at a Glance

Mode	Auto-Approves	Blocks / Prompts	Best For
default	Read-only tools (Read, Glob, Grep, LS)	Prompts for everything else	Getting started, sensitive repos, onboarding
acceptEdits	Reads + file edits + common FS commands (mkdir, mv, cp, touch)	Prompts for bash, network, destructive ops	Active coding sessions where you'll review changes
plan	Read-only access only	Blocks all source code edits entirely	Exploration before committing to a change
auto	Classifier-approved actions (safe ops at runtime)	Classifier-blocked actions, always prompts for risky ones	Long autonomous tasks on trusted direction
dontAsk	Only explicit allowlist entries + read-only bash	Auto-denies everything not on the allowlist	Locked-down CI/CD pipelines
bypassPermissions	Everything (no prompts)	Protected paths only	Isolated containers only — not for interactive use

default — The Safe Starting Point

In default mode, Claude Code auto-approves tools that can only read: Read, Glob, Grep, LS, and similar. Anything that could change state — Bash commands, file writes, network requests — triggers a permission prompt before running.

Sign in to read this article

This is a premium article. Sign in with your Google account to continue.