Skip to content
InnovateTechie
Claude Code

Claude Automode: What It Is and When to Trust It

InnovateTechieBy InnovateTechie10 min read
Share
Claude Automode: What It Is and When to Trust It

Part ofWhat Is Claude Code? The Complete Guide

Claude automode lets Claude Code edit and run without per-step approval. How the safety layers work, when to trust it, and how to toggle it.

Claude automode is the Claude Code permission mode that lets the agent edit files and run commands without per-step approval. In place of prompts, a separate safety classifier reviews each tool call before it executes and blocks destructive or off-intent actions. You reach it through the Shift+Tab mode cycle in Claude Code v2.1.83 or later.

We publish this site with Claude Code every day, and switching to auto mode changed how the tool feels more than any model upgrade: sessions stopped being a click-to-approve treadmill and became something closer to delegation. That shift deserves equal parts enthusiasm and suspicion. Here's how Claude automode actually works, how it compares to the other permission modes, and the rules we use to decide when it gets the keys. (New to the agent itself? Start with our pillar guide, What Is Claude Code?)

What is Claude automode?

Anthropic's own telemetry explains why the feature exists: users approve roughly 93% of Claude Code permission prompts. When approval is that close to automatic, prompts stop being review and start being ritual. Claude automode replaces the ritual with machinery, documented in Anthropic's engineering post. There are two layers:

  1. An input screen. A server-side probe scans incoming tool results — files read, web pages fetched, shell output — for prompt-injection attempts before Claude acts on them, attaching a warning when it finds hijacking content.
  2. An output check. Before each tool call runs, a classifier — a separate Claude model, Claude Sonnet 4.6 at launch, server-configured and independent of your /model choice — reviews the pending action against your request and either lets it through or blocks it with a reason.

The classifier is deliberately blind. It sees your messages, the bare tool command, and your CLAUDE.md, but never tool results — so a hostile web page the agent read cannot argue its own case. It runs in two stages, a fast single-token check with deeper reasoning only for flagged actions, and Anthropic measured a 0.4% false-positive rate across 10,000 real production actions.

A block isn't a dead end, either. The denial returns to Claude as a tool result with instructions to find a safer route — deny and continue, not deny and die. One false positive won't kill a two-hour refactor.

Claude automode two-layer safety flow — input probe screens tool results while a classifier reviews each pending action

Claude Code permission modes, compared

Auto mode makes the most sense next to its siblings. Claude Code ships six permission modes, and each draws the oversight line in a different place:

ModeWhat runs without askingBest for
defaultReads onlySensitive work, getting started
acceptEdits (auto-accept)Reads, file edits, common filesystem commandsIterating, reviewing via git diff after
planReads only — Claude proposes, never editsScoping work before changing anything
autoEverything, behind classifier checksLong tasks, ending prompt fatigue
dontAskOnly pre-approved tools; the rest auto-deniedLocked-down CI
bypassPermissionsEverything, no checks at allIsolated containers and VMs only

Two of these get confused constantly. The auto-accept mode Claude Code veterans toggle by habit (acceptEdits) only waves through file edits inside your working directory plus basic filesystem commands; real shell work still prompts. Claude automode waves through everything — edits, commands, network calls — and substitutes the classifier for you. Plan mode sits at the opposite pole: research and propose, touch nothing. We covered it in our Claude planner guide, and the two pair beautifully — approving a finished plan now offers "approve and start in auto mode" as one of the exits. Deliberate planning, autonomous execution.

bypassPermissions (the --dangerously-skip-permissions flag) deserves its own warning: no prompts, no classifier, no safety net. Anthropic's docs are blunt that it belongs only in isolated containers, and they now point people to auto mode as the sane alternative.

How to turn on Claude automode

In the terminal, press Shift+Tab to cycle modes — default → accept edits → plan — with auto slotting in last once your account qualifies. The status bar shows the active mode — and a customized Claude Code statusline can surface the model and running cost right beside it. For unattended runs, the same --permission-mode flag works with headless -p sessions.

Eligibility has three parts, and all must hold:

  1. Version. Claude Code v2.1.83 or later.
  2. Plan. Every plan tier qualifies, but on Team and Enterprise an Owner has to enable auto mode in admin settings before anyone sees it.
  3. Model. Claude Opus 4.6 or later, or Claude Sonnet 4.6 or later, on the Anthropic API. On Amazon Bedrock, Google Cloud Vertex AI, or Microsoft Foundry, only Claude Sonnet 5, Claude Opus 4.7, and Claude Opus 4.8 qualify — and you must also set CLAUDE_CODE_ENABLE_AUTO_MODE=1.

In VS Code, click the mode indicator at the bottom of the prompt box. On Claude Code Desktop, auto appears in the mode selector only after you switch it on in Desktop settings. The full flag and settings reference lives in our Claude Code CLI documentation guide.

Want it as your default? Set "permissions": {"defaultMode": "auto"} in ~/.claude/settings.json — your user file specifically. Since v2.1.142, Claude Code ignores defaultMode: "auto" in a project's .claude/settings.json, a deliberate wrinkle that stops a cloned repository from quietly granting itself autonomy.

What the classifier blocks — and what sails through

Run claude auto-mode defaults and Claude Code prints its complete rule list — 20-plus block rules out of the box. The shape of it:

ActionDefault verdict
Editing files in your working directoryAllowed
Installing dependencies declared in your lockfileAllowed
Read-only HTTP requestsAllowed
Pushing to the branch you started onAllowed
Downloading and executing code (curl piped to bash)Blocked
Force-pushing, or pushing directly to mainBlocked
Production deploys, migrations, terraform destroyBlocked
git reset --hard and friends that discard uncommitted workBlocked
Sending sensitive data to external endpointsBlocked

Beyond the static rules, the classifier honors boundaries you state in conversation. Tell Claude "don't push until I've reviewed" and pushes get blocked even where the defaults would allow them — until you explicitly lift the boundary in a later message. One caveat we learned firsthand: boundaries live in the transcript, so context compaction can silently erase them. For a hard guarantee, write a deny rule instead.

When blocks pile up — 3 consecutive denials, or 20 total in a session — auto mode pauses and Claude Code falls back to prompting you; approve the action and autonomy resumes. Repeated blocks usually mean the classifier doesn't recognize your infrastructure, and an administrator can fix that by listing trusted repos, buckets, and domains — including the endpoints your connected MCP servers reach — in the autoMode.environment setting.

Claude automode fallback thresholds — three consecutive or twenty total classifier denials hand control back to the human

When to trust Claude automode — and when not to

Our rule after months of daily use: hand Claude automode any task where git can undo the damage and tests can catch it. Everything else stays supervised.

SituationAuto mode?Why
Refactor backed by a solid test suiteYesFailures surface fast; git reverts the rest
Long codemod or migration across many filesYesThe exact prompt-fatigue case the mode was built for
Feature work on a branch, committing oftenYesBlast radius is one branch
Anything touching production infrastructureNoThe classifier blocks the obvious; "obvious" is not a guarantee
A directory with no version controlNoNothing to diff, nothing to revert
Work near live credentials or customer dataNoAnthropic's tests still missed 5.7% of synthetic exfiltration attempts

Anthropic's framing matches that caution: auto mode is a research preview that "reduces permission prompts but does not guarantee safety," and the docs recommend keeping it away from sensitive operations. Concretely, the classifier missed 17% of a set of real overeager actions in testing — good odds, not certainty. Our own split: content pipelines, refactors, and test-writing for this site run in auto mode daily — often fanned out across parallel subagents; anything touching deploy configuration runs in default mode with our eyes on every prompt.

Guardrails worth setting before you switch

Claude automode is not all-or-nothing. Five things we set up before trusting it:

  1. Deny and ask rules run first. They resolve before the classifier ever sees an action, in every mode. Deny writes to your secrets directory once, and no mode change reopens them.
  2. Keep allowlists narrow. Entering auto mode drops blanket rules like Bash(*) and wildcarded interpreters by design; precise rules like Bash(npm test) carry over and skip the classifier round-trip.
  3. Hooks are programmable vetoes. A PreToolUse hook can inspect any pending tool call and block it with your own logic — the classifier never gets a vote.
  4. Protected paths stay protected. Writes to .git, .claude, shell profiles, and similar config are never blanket-approved; in auto mode they route to the classifier instead.
  5. Budget for the overhead. Classifier calls count toward your token usage and add a round-trip before execution. Reads and working-directory edits skip the check, so the cost concentrates on shell commands and network operations.

Set those up and Claude automode becomes what it promises: long stretches of unattended, useful work with a tripwire under it.

Claude pricing at a glance

PlanPrice
Free$0
Pro$20 / month
Maxfrom $100 / month
APIPay per token

For the full breakdown of every plan, see our how much Claude costs guide.

Frequently Asked Questions

Auto mode is a permission mode in which Claude Code decides approvals itself while a safety classifier reviews every tool call before it runs. It sits between default mode, which prompts for each action, and bypassPermissions, which skips checks entirely. Anthropic ships it as a research preview across all plan tiers.

Safer than --dangerously-skip-permissions, but not risk-free. The classifier blocks destructive actions with a measured 0.4% false-positive rate, yet Anthropic's own wording is that auto mode "reduces permission prompts but does not guarantee safety." Keep version control, tests, and deny rules in place, and supervise anything sensitive yourself.

The flag removes every guardrail — tool calls execute immediately with no review, which is why Anthropic says it belongs only in isolated containers and VMs. Auto mode delegates approvals to a classifier that blocks dangerous or off-intent actions while routine ones run. Deny rules and stated boundaries still apply in auto mode.

Yes — that's exactly what Claude automode is for. The agent works through long tasks autonomously and only hands control back after 3 consecutive classifier denials or 20 total in a session. Approving the escalated action resumes autonomy, and any allowed action resets the consecutive-denial counter.

Yes, modestly. Classifier calls count toward your token usage, and each check adds a round-trip before execution. Reads and working-directory edits skip the classifier entirely, so the overhead lands on shell commands and network operations. Recent versions also reuse network verdicts per host instead of re-checking every connection.

No. Since v2.1.142, Claude Code deliberately ignores defaultMode: "auto" in a project's .claude/settings.json and settings.local.json, precisely so a cloned repo cannot grant itself autonomy. Set it in your user-level ~/.claude/settings.json instead, or select auto per session with the Shift+Tab permission-mode cycle.

Deny and ask rules apply in every mode and resolve before the classifier sees the action. Allow rules carry over only when they're narrow, like Bash(npm test); Claude Code drops blanket rules such as Bash() on entry and restores them when you leave. Protected-path writes always route to the classifier.
InnovateTechie

Written by

InnovateTechie

Writing about Claude and the Anthropic toolkit — models, Claude Code, pricing, features, and fixes, in clear, practical, hands-on guides tested by daily use.

View all posts →