Claude Code ships with a permission system that asks you to approve file writes, shell commands, and tool calls before they execute. Most of the time, that’s the right default. But when you’re working in a trusted environment or running Claude Code inside a CI pipeline, stopping every five minutes to approve a file edit breaks flow badly.
Auto Mode — released March 24, 2026 — solves this by turning permission prompts off while keeping a safety layer underneath. This guide explains how that safety layer actually works, how it differs from --dangerously-skip-permissions, and how to configure it for your specific needs.
What Auto Mode Is
Auto Mode is a permission bypass that runs a 2-stage classifier before allowing each action, instead of asking you. When you activate it, Claude Code stops surfacing approval dialogs and starts deciding on its own whether each action is safe to proceed with.
Activate it in an interactive session with Shift+Tab. The status indicator in the prompt changes to confirm you’re in Auto Mode.
That’s the surface behavior. Under the hood, the permission system is still running — it’s just that the human is no longer in the loop for every decision. The classifier takes that role.
The 2-Stage Classifier System
This is the part most guides skip over. Auto Mode is not a simple “skip all permissions” switch. Every action passes through two classifiers before Claude Code acts.
Stage 1: Intent Classifier
The first classifier evaluates what the action is trying to accomplish. It categorizes intent along dimensions like:
- Is this a read or a write?
- Does this action affect only the current working directory, or could it reach outside?
- Is this a reversible action (editing a file) or an irreversible one (running
rm, making a network request)? - Does the action involve external systems (APIs, databases, third-party services)?
The intent classifier is not making a binary safe/unsafe judgment yet. It’s building a structured description of what the action is. That description feeds into Stage 2.
Stage 2: Risk Assessment Classifier
The second classifier takes the structured intent from Stage 1 and compares it against a risk model. The output is a concrete decision: ALLOW or DENY.
Factors that push toward DENY:
- Actions that write outside the project directory
- Shell commands that modify system state in ways not scoped to the project
- Outbound network calls to domains not explicitly in scope
- Tool invocations that chain together in ways that amplify risk (writing to a file and then executing it)
Factors that push toward ALLOW:
- Read operations on project files
- Writes scoped to directories Claude Code has already touched in the current session
- Tool calls that match patterns established earlier in the conversation
When the classifier outputs DENY, Claude Code surfaces a permission dialog regardless of whether you’re in Auto Mode. This is the key distinction: Auto Mode removes prompts for actions the classifier is confident about. It does not remove prompts for actions the classifier flags as high-risk.
Auto Mode vs. --dangerously-skip-permissions
These two look similar in effect — both reduce how often you see permission prompts — but they operate on entirely different principles.
| Auto Mode | --dangerously-skip-permissions | |
|---|---|---|
| Safety classifier | Runs on every action | Bypassed entirely |
| DENY outcomes | Surfaces a permission dialog | Not possible — everything is allowed |
| Intent | Trusted interactive or automated use | Headless automation, no safety net |
| Flag required | No (Shift+Tab toggle) | Yes (--dangerously-skip-permissions) |
| Enterprise disable | Yes (disableBypassPermissionsMode) | Same setting |
--dangerously-skip-permissions exists for headless environments where interactive prompts are genuinely impossible — CI pipelines running inside containers, automated test runners, scripted batch operations. The name is intentionally alarming because the behavior warrants it: no classifier runs, no action is blocked, everything Claude Code decides to do will happen.
Auto Mode is for humans who trust their environment and want uninterrupted flow. The classifier still runs. Actions the classifier rates as high-risk still get flagged. You are trading approval dialogs for classifier judgment, not trading the safety system for nothing.
If you are running Claude Code in a context where you can interact with it, Auto Mode is almost certainly what you want. --dangerously-skip-permissions is for pipelines that cannot receive input at all.
Configuring Auto Mode via settings.json
The classifier’s defaults are tuned for general use. When you know your project’s specific shape — which tools you need, which you never use, which external calls are expected — you can tune the behavior through settings.json.
The file lives at .claude/settings.json in your project root, or ~/.claude/settings.json for user-level defaults.
Specifying which tools Auto Mode can act on
{
"autoMode": {
"allowedTools": [
"Read",
"Write",
"Edit",
"Bash"
]
}
}When allowedTools is set, Auto Mode only bypasses prompts for the listed tools. Any tool not on the list will still surface a permission dialog, even with Auto Mode active.
Blocking specific tools from Auto Mode entirely
{
"autoMode": {
"deniedTools": [
"WebSearch",
"WebFetch"
]
}
}deniedTools forces permission prompts for specific tools regardless of what the classifier decides. Use this when you want Auto Mode’s flow for local operations but always want to approve network calls.
Combining both lists
{
"autoMode": {
"allowedTools": [
"Read",
"Write",
"Edit",
"Bash",
"Grep",
"Glob"
],
"deniedTools": [
"WebSearch",
"WebFetch",
"mcp__stripe__charge",
"mcp__database__execute_query"
]
}
}The deniedTools list takes precedence over allowedTools. If a tool appears in both, it is denied.
This pattern — allowlist the local tools, denylist anything that touches external systems — is the most useful general-purpose configuration. You get uninterrupted flow for code operations while keeping explicit control over anything that leaves your machine or modifies data outside the project.
MCP server tools in settings
MCP tool names follow the pattern mcp__<server-name>__<tool-name>. You can be as specific or as broad as needed:
{
"autoMode": {
"deniedTools": [
"mcp__database__*",
"mcp__stripe__*"
]
}
}Wildcard patterns work for blocking entire MCP servers from Auto Mode while keeping the rest of the classifier-driven behavior intact.
Enterprise: Disabling Auto Mode Organization-Wide
Organizations managing Claude Code deployments for a team can prevent users from enabling Auto Mode entirely.
In the organization-level settings.json (distributed via MDM or a shared config):
{
"permissions": {
"disableBypassPermissionsMode": true
}
}disableBypassPermissionsMode: true disables both Auto Mode and --dangerously-skip-permissions. Users cannot enable either, and the Shift+Tab toggle in interactive sessions has no effect.
This is appropriate for:
- Teams working with sensitive codebases where every action needs an audit trail
- Organizations with compliance requirements around AI-assisted code changes
- Environments where Claude Code has access to production systems or customer data
The setting can be scoped to individual projects by placing it in the project’s .claude/settings.json rather than a global config, so you can enforce strict mode on sensitive repositories while allowing Auto Mode elsewhere.
Real-World Use Cases
Local development on trusted projects
The most common use case. You’re working on your own codebase, Claude Code is pointing at your local dev environment, and there’s nothing sensitive in scope. Shift+Tab at the start of the session, work without interruptions, disable it when you’re done.
The classifier still catches edge cases — if Claude Code tries to write outside your project directory or reach an unexpected network endpoint, you’ll see a prompt. For everything within normal project boundaries, you won’t.
Automated code review pipelines
Claude Code can run in a CI pipeline to analyze pull requests, suggest refactors, or enforce coding standards. In this context, the pipeline starts Claude Code with --dangerously-skip-permissions (since there’s no human to approve anything), and the deniedTools configuration blocks any write operations:
{
"autoMode": {
"deniedTools": [
"Write",
"Edit",
"Bash"
]
}
}Wait — if you’re using --dangerously-skip-permissions, does deniedTools still work?
No. --dangerously-skip-permissions bypasses the entire permission layer, including deniedTools. For a read-only CI pipeline, the correct approach is to use --allowedTools as a CLI flag rather than relying on settings:
claude --dangerously-skip-permissions \
--allowedTools "Read,Grep,Glob" \
"Analyze the diff in this PR and identify potential issues"Repetitive refactoring sessions
You’re renaming a module, restructuring imports across 50 files, or updating an API interface. Every action is a variation on the same pattern, and stopping for approval 50 times adds no safety value — you already reviewed the approach before starting.
Auto Mode with allowedTools scoped to Read, Write, Edit, and Grep covers these sessions well. You eliminate the repetitive approvals while the classifier still handles anything unexpected.
Multi-agent setups
If you’re running Claude Code as a subagent called from an orchestrating agent (see our agent teams architecture guide), the subagent typically needs to run without interactive prompts. Auto Mode can be enabled programmatically, and the classifier layer provides a sensible safety floor even when no human is directly supervising the subagent’s actions.
What Auto Mode Does Not Protect Against
Being clear about the limits matters.
The classifier is not infallible. It uses a risk model tuned for common patterns. Novel actions, unusual tool combinations, or carefully constructed prompts can produce ALLOW decisions for things you would have caught in a manual review. Auto Mode reduces your oversight surface; it does not replace it.
Unintended file writes within the project directory will be approved. The classifier allows writes to project-scoped paths by default. If Claude Code makes an incorrect edit to a file inside your project, Auto Mode will not catch it. This is where /rewind and checkpointing become important complements to Auto Mode.
API calls that match expected patterns will be approved. If you’ve used a particular MCP tool earlier in the session, the classifier treats subsequent calls to that tool as established behavior. An unexpected follow-up call to the same tool may slip through.
Auto Mode does not log decisions. The classifier makes allow/deny decisions without writing an audit trail. If you need a record of what Claude Code did and why, you need a different approach — either manual approval for each action, or an external logging layer.
For environments where these risks matter, the right answer is not to use Auto Mode at all. The permission dialog exists because the human-in-the-loop model is genuinely safer when the stakes are high.
Putting It Together
Auto Mode is a practical tool for a specific context: you trust the environment, you know the scope of what you’re asking Claude Code to do, and the overhead of per-action approvals is slowing you down without providing meaningful safety benefit.
The 2-stage classifier means you’re not flying completely blind. High-risk actions still surface prompts. The allowedTools and deniedTools settings let you tune exactly where the classifier trusts its own judgment versus where it defers to you.
--dangerously-skip-permissions is a different tool for a different context: fully automated pipelines where no human interaction is possible. The safety model there is that you’ve scoped what Claude Code can access before it starts — not that a classifier is watching each action.
We track patterns in how teams configure Claude Code across a wide range of project types. If you’re interested in how other teams structure their settings and rules, our rules collection has examples from production setups worth looking at.
Quick Reference
Activate Auto Mode: Shift+Tab in an interactive session
Deactivate Auto Mode: Shift+Tab again
CLI flag for headless use: --dangerously-skip-permissions (no classifier, everything allowed)
Block a tool from Auto Mode:
{ "autoMode": { "deniedTools": ["WebFetch"] } }Restrict Auto Mode to specific tools:
{ "autoMode": { "allowedTools": ["Read", "Write", "Edit"] } }Disable Auto Mode organization-wide:
{ "permissions": { "disableBypassPermissionsMode": true } }settings.json locations:
- Project-level:
.claude/settings.json - User-level:
~/.claude/settings.json - Organization-level: distributed via MDM or shared config management