Contents
The "Permission Mode" selector next to the prompt box in Claude Code — the one you cycle with Shift+Tab — decides how often Claude pauses to ask permission before it edits a file or runs a command. More confirmations means safer; fewer means Claude works in longer, uninterrupted stretches.
This guide covers what permission modes are, how the 5 modes differ, how to switch them, how auto mode works, and how to use them safely. You'll understand exactly what Ask permissions / Accept edits / Plan mode / Auto mode / Bypass permissions in the screenshot each mean.
Switch how often Claude asks
More oversight (safer) ⟷ more autonomy (uninterrupted)
1. What permission modes are
When Claude wants to edit a file, run a shell command, or make a network request, it normally pauses and asks you to approve the action. Permission modes control how often that pause happens (source: Claude Code's official "Choose a permission mode").
Stricter modes review each action as it comes (safer, more prompts). Looser modes let Claude work in long uninterrupted stretches and report back when done (faster, fewer prompts). The trick is to pick more oversight for sensitive work, fewer interruptions when you trust the direction.
🛡️ Protected paths are special: writes to a small set of critical paths (.git, .claude, shell config files, etc.) are never auto-approved in any mode except Bypass permissions. It's a safety net against corrupting repo state or Claude's own config.
2. The 5 modes (+ settings-only dontAsk)
The selector lists five (Ask permissions / Accept edits / Plan mode / Auto mode / Bypass permissions). Each differs in what runs without asking.
Asks for anything beyond reads
Reads auto-approved; file edits and commands prompt each time. The default for getting started and sensitive work.
Auto-approves edits in your working dir
Auto-approves file edits plus common filesystem commands (mkdir/touch/mv/cp/sed, etc.) inside your working dir. Out-of-scope paths, protected paths, and other commands still prompt. For reviewing changes via git diff afterward.
Plans without editing
Reads and explores but does not edit your source. Proposes a plan first; approving it switches to an editing mode. For understanding a codebase before changing it.
Near-zero prompts with safety checks
A separate classifier model blocks dangerous actions while everything else runs without prompting. Cuts prompt fatigue on long tasks. Has requirements (see §4).
Everything, no checks (dangerous)
Prompts and safety checks disabled. Isolated containers/VMs only. No protection against prompt injection. See bypass mode security.
Only pre-approved tools run
A 6th mode not in the selector. Runs only allow-listed tools and read-only commands; everything else is auto-denied. For CI and locked-down environments.
3. How to switch (Shift+Tab and more)
The quickest way is Shift+Tab. During a session it cycles Ask permissions → Accept edits → Plan mode (the current mode shows in the status bar). In VS Code, Desktop, and claude.ai, use the mode selector next to the prompt box (the UI in the screenshot).
Auto mode and Bypass permissions join the cycle conditionally. Auto mode appears when you meet its requirements, with an opt-in prompt the first time. Bypass permissions is only enabled when you start with --permission-mode bypassPermissions (or --dangerously-skip-permissions). dontAsk never appears in the cycle — set it via a flag or settings.
# Set the mode at startup
claude --permission-mode plan
claude --permission-mode acceptEdits
# Bypass needs its dedicated flag (isolated environments only)
claude --dangerously-skip-permissionsTo always start in the same mode, set a default in your settings file.
// .claude/settings.json
{
"permissions": {
"defaultMode": "acceptEdits"
}
}※ defaultMode: "auto" is ignored in project settings and only honored in user settings (~/.claude/settings.json) — so a repository can't grant itself auto mode.
4. Auto mode in depth
Auto mode removes almost all confirmation prompts — but it isn't a free-for-all. Before each action, a separate classifier model reviews it and blocks anything that escalates beyond your request, targets unrecognized infrastructure, or appears driven by hostile content Claude read.
⚠️ Research preview: auto mode reduces prompts but does not guarantee safety. Use it where you trust the general direction, not as a replacement for review on sensitive operations.
Requirements: auto mode only shows for eligible accounts. On Team/Enterprise an admin must enable it, and the model must support it — Opus 4.6 or later, or Sonnet 4.6 (Sonnet 4.5, Haiku, etc. are not supported). If it reports "unavailable," a requirement is unmet — that is not a transient outage.
✅ Allowed by default
File operations in your working dir, installing dependencies from lock files, read-only HTTP, pushing to the branch you started on.
⛔ Blocked by default
curl | bash, sending secrets to external endpoints, production deploys/migrations, force-push or pushing to main, destructive git operations.
Boundaries you state in conversation (e.g. "don't push," "don't deploy until I review") are treated as a block signal too. But these aren't saved as rules — the classifier re-reads them from the transcript each time, so a boundary can be lost if context compaction removes the message. For a hard guarantee, add a deny rule. Where modes set the baseline for how often Claude asks, Claude Code's permission rules (allow/ask/deny) give you finer, per-tool control. After 3 consecutive or 20 total blocks, auto mode pauses and Claude resumes prompting.
5. Which mode when, and safety
Choose by the oversight-vs-autonomy tradeoff. Quick reference:
| Mode (display) | When to use it |
|---|---|
| Ask permissions (default) | Getting started / sensitive work. When you want to approve each action |
| Accept edits (acceptEdits) | Iterating on code you review; check the diff afterward |
| Plan mode (plan) | Understanding a codebase and settling on a design before changing it |
| Auto mode (auto) | Long tasks where you trust the direction; cutting prompt fatigue |
| Bypass permissions (bypass) | Isolated containers/VMs only, where Claude can't damage your host |
| dontAsk | CI / locked-down environments where you pre-define what Claude may do |
⚠️ Don't reach for Bypass permissions casually: it offers no protection against prompt injection or unintended actions. The answer to "prompts are annoying" is auto mode (with background safety checks), not bypass. Note that hooks still run in bypass mode and can block dangerous operations. For why bypass sometimes still asks, see the security guide and this article.
※ Mode names and behavior are per Claude Code's official docs (Choose a permission mode); the localized display names were confirmed in the live UI (as of June 2026). Requirements and behavior can change — check the official docs and your app for the latest.
6. Relation to effort, and common mix-ups
Next to the prompt box sit two big selectors: "Permission Mode" and "Effort". They do different jobs.
Permission mode = "how much it asks"
The safety-vs-autonomy tradeoff. How often Claude pauses to ask permission.
Effort = "how hard it thinks"
The speed-vs-smarts tradeoff. How much thinking and how many tokens go into a reply (details).
They connect, too. Approving a plan in plan mode lets you switch to auto mode or accept-edits to execute. And pairing the top effort option "Ultracode" with auto mode skips even the workflow-execution prompts so Claude can run end to end.
The common mix-up is "prompts are annoying, so I'll use bypass." That's risky — the right answer is auto mode (with background checks). Another: "plan mode is safe, so anything goes." Plan mode only means "no edits"; the commands it runs to explore still prompt just like default mode.
Summary
Three takeaways on Claude Code permission modes.
- What it is: the setting for how often Claude asks permission before editing or running commands. Switch with
Shift+Tabor the selector. - The modes: Ask permissions (default) / Accept edits (acceptEdits) / Plan mode (plan) / Auto mode (auto) / Bypass permissions (bypass), plus settings-only dontAsk. Protected paths stay protected in every mode except bypass.
- Which when: default for sensitive work, acceptEdits for iterating, plan to understand first, auto for long tasks (with background checks), bypass only in isolated environments.
Permission mode governs "safety," effort governs "smarts" — master both and Claude Code runs safely and smoothly. Pair it with hooks to add your own safety rules.
FAQ
Q. Prompts are annoying. Which mode should I use?
A. Start with Accept edits (acceptEdits) to auto-approve edits in your working dir. To cut prompts further, use Auto mode (auto) — near-zero prompts with background safety checks. Don't use Bypass permissions outside an isolated environment.
Q. How is auto mode different from bypass permissions?
A. Auto mode has a separate classifier model block dangerous actions while running everything else without prompts. Bypass permissions disables safety checks entirely and runs everything, so it's for isolated containers/VMs only. For everyday use, choose auto mode, not bypass.
Q. Why can't I select auto mode?
A. A requirement is unmet. On Team/Enterprise an admin must enable it, and the model must support it (Opus 4.6+ or Sonnet 4.6; Sonnet 4.5, Haiku, etc. are not supported). Once eligible, it appears in the selector and the Shift+Tab cycle.
Q. What exactly is "safe" about plan mode?
A. It doesn't edit your source. It reads, explores, and proposes a plan; approving the plan switches to an editing mode and execution begins. Use it to settle on an approach before making changes.
Q. Can I start in a specific mode?
A. Yes. Pass a startup flag like claude --permission-mode plan, or set permissions.defaultMode in your settings file. Note that auto is only honored in user settings (~/.claude), not project settings.
