Claude Code’s Five Permission Modes, Explained: Ask, Accept Edits, Plan, Auto, and Bypass

Claude Code gives you five permission modes that trade approval friction for autonomy — and you can switch between them whether you work in the terminal or the desktop app. In the terminal, press Shift+Tab to cycle through the modes, or launch with the --permission-mode flag; in the desktop app, open the Mode menu with Ctrl+Shift+M or just tap a number from 1 to 5. Either way, you can pin a default for every session with "defaultMode" under permissions in settings.json. The newest of the five, Bypass permissions, only arrived recently. Here is what each one actually does.

1 · Ask permissions is the conservative baseline (called default on the command line). Claude reads your files freely but stops to ask before it edits anything or runs a shell command. It is the right choice for sensitive work, an unfamiliar repository, or simply when you want to stay in the loop on every action.

2 · Accept edits (acceptEdits) auto-approves file edits and safe filesystem operations — creating, moving, or copying files inside your working directory — while still pausing for anything riskier. Reach for it once you trust the direction and would rather review the diffs after the fact than approve them one by one.

3 · Plan mode is read-only. Claude investigates the codebase and writes up a plan of attack, but it will not touch a single file until you approve. It is the safest way to explore a large or unfamiliar project before committing to changes.

4 · Auto mode is the newer, smarter middle ground. Claude runs without stopping to ask, but every shell command or network action first passes through a separate safety classifier — a second model that vets each action and blocks anything risky or out of scope, such as pushing to main, deploying to production, sending secrets to an outside server, or deleting files that existed before the session. Routine reads and edits inside your working folder skip the check and run immediately. It also respects boundaries you set in conversation — tell Claude “don’t push” and it will stop a push — and if it blocks something you actually wanted, you just approve it and carry on. Anthropic ships it as a research preview on its newer models.

5 · Bypass permissions is the blunt instrument and the most permissive of the five: it skips essentially every prompt so the agent just runs. A few circuit breakers survive — rm -rf / and rm -rf ~ still ask, explicit ask and deny rules still fire, and it refuses to launch as root. But the documentation is blunt that it "offers no protection against prompt injection," so the guidance is to use it only inside a sandbox — a container or VM where Claude Code cannot reach your real files or network.