You want fewer permission prompts without --dangerously-skip-permissions, which actually skips them. Auto mode is the middle ground: a separate classifier model reviews the actions that would otherwise prompt, blocks the unsafe ones, and lets routine work flow through.
1. Check you can run it
Auto mode is gated. All of these must be true:
- Claude Code v2.1.83 or later.
- Plan: Max, Team, Enterprise, or API. Not on Pro.
- Provider: Anthropic API only. Not on Bedrock, Vertex, or Foundry.
- Model: Sonnet 4.6, Opus 4.6, or Opus 4.7 on Team/Enterprise/API; Opus 4.7 only on Max. Haiku and claude-3 models aren’t supported.
- On Team and Enterprise, an admin enables it in Claude Code admin settings before users can turn it on. They can also lock it off entirely with
permissions.disableAutoMode: "disable"in managed settings.
If Claude Code says auto mode is unavailable, one of those is unmet — that’s not a transient outage. The transient one says “cannot determine the safety” of a specific action and is a classifier outage, not a config problem.
2. Enter auto mode
Shift+Tab cycles permission modes in the CLI: default → acceptEdits → plan, then any optional modes you’ve enabled (bypassPermissions first, auto last). The first time you cycle to auto you get an opt-in prompt; accept it, or pick No, don’t ask again to remove auto from the cycle. If you’ve also enabled bypassPermissions, expect to land on it on the way to auto.
Or start in auto directly:
claude --permission-mode autoOr pin it as the default in ~/.claude/settings.json:
{
"permissions": {
"defaultMode": "auto"
}
}The status bar shows the current mode while you work.
3. Know what the classifier blocks vs allows
The classifier trusts your working directory and your repo’s configured remotes. Anything else is “external” until you tell it otherwise.
Blocked by default:
curl | bashand any pattern that downloads-and-executes- Sending sensitive data to external endpoints
- Production deploys and migrations
- Mass deletion on cloud storage
- Granting IAM or repo permissions
- Modifying shared infrastructure
- Irreversibly destroying files that existed before the session
- Force push, or pushing directly to
main
Allowed by default:
- Local file operations in your working directory
- Installing dependencies declared in your lock files or manifests
- Reading
.envand sending credentials to their matching API - Read-only HTTP requests
- Pushing to the branch you started on or one Claude created
The full lists are inspectable:
claude auto-mode defaults # the built-in rules
claude auto-mode config # what the classifier actually uses now
claude auto-mode critique # AI feedback on your custom rulesIf routine internal actions get blocked, that means the classifier doesn’t know they’re internal. Tell it via autoMode.environment in ~/.claude/settings.json:
{
"autoMode": {
"environment": [
"$defaults",
"Source control: github.com/your-org and all repos under it",
"Trusted cloud buckets: s3://your-build-artifacts",
"Trusted internal domains: *.internal.your-org.com",
"Key internal services: Jenkins at ci.your-org.com"
]
}
}The literal string "$defaults" splices the built-in defaults into the array at that position. Without it you replace the defaults entirely — see footgun #4 before you do that.
The classifier reads autoMode from user settings (~/.claude/settings.json), the gitignored project-local file (.claude/settings.local.json), managed settings, and the --settings flag. It does not read it from shared project settings (.claude/settings.json checked into the repo). That’s deliberate — a cloned repository shouldn’t inject its own classifier rules onto your machine. If you check autoMode.environment into a project’s shared settings file, the classifier silently ignores it.
4. Use spoken-word boundaries as block signals
The classifier reads the same conversation transcript Claude does. If you say:
Don’t push to main, wait for me to review first.
…the classifier treats that as a block signal for matching actions, even if the default rules would allow them. These are transcript-derived signals, not entries in autoMode.soft_deny — the boundary stays in force for the rest of the session, until you lift it in a later message. Claude can’t lift its own boundary by deciding the condition has been met.
Useful, but transcript-derived means the classifier re-reads it from the message log on each check — so /compact or context truncation can drop the message that stated it. For anything you need a hard guarantee on, write a permissions.deny rule instead. Deny rules run before the classifier and can’t be overridden.
What happens when actions get blocked
A denial fires a notification and lands in /permissions under the Recently denied tab. Press r on an entry to retry it with a manual approval — useful when the classifier is missing context and you want to override once.
Two thresholds force a fallback to the prompt-based flow:
- 3 denials in a row: auto mode pauses; Claude Code resumes prompting.
- 20 denials total in the session: same fallback.
Approving the next prompt resumes auto mode. Any allowed action resets the consecutive counter; the total counter persists for the session and resets only when its own limit fires. In -p non-interactive mode (no human to prompt), repeated blocks abort the session entirely.
If you keep falling back, the right move is to grow autoMode.environment so the classifier stops misclassifying your own infrastructure as external — not to fight the prompts as they come.
Footguns
Auto mode is not bypassPermissions. Easy to assume “no prompts = no safety”, but auto runs each non-trivial action through the classifier first — your existing allow/deny rules resolve before that, and reads plus working-directory edits outside protected paths skip the classifier entirely. Writes to protected paths (.git, .vscode, .idea, .husky, most of .claude/, .bashrc, .zshrc, .gitconfig, .mcp.json, .claude.json) do go to the classifier in auto mode — they don’t auto-approve. bypassPermissions skips all of that. Different tools, different threat models. Don’t conflate them in your head, and don’t recommend one for the other in tickets.
Entering auto mode silently drops broad allow rules. Existing rules that grant arbitrary code execution are removed for the duration of the session: blanket Bash(*) or PowerShell(*), wildcarded interpreters like Bash(python*), package-manager run commands, and Agent allow rules. Narrow rules like Bash(npm test) carry over. The dropped rules come back when you leave auto mode. The trap: a session that worked fine because of a checked-in Bash(*) allow rule will start prompting on shell commands the moment you enable auto mode, with no obvious explanation. If something stops auto-approving in auto mode, check whether you were depending on a wildcard rule.
Subagents ignore their own permissionMode. A subagent’s frontmatter can declare a permission mode, and outside of auto mode that’s honored. Inside auto mode it’s discarded — the parent session’s classifier evaluates every subagent action with the same rules. The classifier checks subagents at three points: before spawn (the delegated task description), during execution (each action), and on return (the full action history, with a security warning prepended to results if the return-check finds something). If you’ve been relying on a subagent declaring permissionMode: bypassPermissions to do unattended work inside an auto-mode parent, that’s not happening — and the parent classifier will block actions the subagent assumes it’s allowed.
Omitting "$defaults" deletes the entire default list for that section. If you write:
{
"autoMode": {
"soft_deny": [
"Never modify files under infra/terraform/prod/"
]
}
}…you’ve replaced every built-in block rule with that one entry. Force push, curl | bash, production deploys, mass deletes — all now allowed. Same trap on environment and allow. Always include "$defaults" unless you’ve genuinely reviewed the full default list (run claude auto-mode defaults) and intend to take ownership of every rule.
The classifier is a separate paid model call. Each non-trivial action sends a portion of the transcript plus the pending action to the classifier. That’s an extra round-trip before execution, and the tokens count toward your usage. Reads and working-directory edits outside protected paths skip the classifier entirely (they’re auto-approved at step 2 of the decision order), so the overhead lives mostly in shell commands and network operations. On long autonomous runs the cost shows up — not catastrophic, but worth knowing before you run a 4-hour Routine in auto mode.
Auto mode is a research preview. It reduces prompts; it doesn’t guarantee safety. Behavior, defaults, and pricing can shift release to release. Treat the classifier as a useful guardrail for general-direction work, not as a substitute for review on sensitive operations — and don’t build CI workflows that hard-depend on a specific block-or-allow decision. Build those on permissions.allow and permissions.deny, which are stable.
When NOT to use this
- You’re on Pro, Bedrock, Vertex, or Foundry. Auto mode literally isn’t available. Use
acceptEditsfor the next-best reduction in prompt fatigue (auto-approves file edits and a small set of filesystem Bash commands inside the working directory), and tighten withpermissions.allow/permissions.denyrules. - The work is irreversible and high-stakes. Production deploys, schema migrations, IAM changes, anything that costs an outage to undo. The classifier blocks most of these by default for a reason. If you’ve added enough
allowrules to let them through, you’ve engineered around the safety net. Roll those back to manual approval on the merge-to-main path even if you keep auto mode for development branches. - You want a hard guarantee, not best-effort. The classifier is heuristic, the conversation-boundary mechanism is transcript-bound (and can be evicted by compaction). For absolute “this must never happen” rules, use
permissions.denyin managed settings — that runs before the classifier and can’t be overridden by user intent orallowexceptions. - You’re running untrusted code. Auto mode reduces prompts but doesn’t isolate the process. If Claude is about to
npm installa sketchy repository, layer the bash sandbox underneath (Seatbelt on macOS, bubblewrap on Linux/WSL2) — the classifier may flag exfiltration patterns it recognizes, but it doesn’t run inside an OS-level cage that stops a postinstall script from reading~/.ssh/.