Part ofWhat Is Claude Code? The Complete Guide
Claude automode lets Claude Code edit and run without per-step approval. How the safety layers work, when to trust it, and how to toggle it.
In This Article
7 sectionsClaude automode is the Claude Code permission mode that lets the agent edit files and run commands without per-step approval. In place of prompts, a separate safety classifier reviews each tool call before it executes and blocks destructive or off-intent actions. You reach it through the Shift+Tab mode cycle in Claude Code v2.1.83 or later.
We publish this site with Claude Code every day, and switching to auto mode changed how the tool feels more than any model upgrade: sessions stopped being a click-to-approve treadmill and became something closer to delegation. That shift deserves equal parts enthusiasm and suspicion. Here's how Claude automode actually works, how it compares to the other permission modes, and the rules we use to decide when it gets the keys. (New to the agent itself? Start with our pillar guide, What Is Claude Code?)
What is Claude automode?
Anthropic's own telemetry explains why the feature exists: users approve roughly 93% of Claude Code permission prompts. When approval is that close to automatic, prompts stop being review and start being ritual. Claude automode replaces the ritual with machinery, documented in Anthropic's engineering post. There are two layers:
- An input screen. A server-side probe scans incoming tool results — files read, web pages fetched, shell output — for prompt-injection attempts before Claude acts on them, attaching a warning when it finds hijacking content.
- An output check. Before each tool call runs, a classifier — a separate Claude model, Claude Sonnet 4.6 at launch, server-configured and independent of your
/modelchoice — reviews the pending action against your request and either lets it through or blocks it with a reason.
The classifier is deliberately blind. It sees your messages, the bare tool command, and your CLAUDE.md, but never tool results — so a hostile web page the agent read cannot argue its own case. It runs in two stages, a fast single-token check with deeper reasoning only for flagged actions, and Anthropic measured a 0.4% false-positive rate across 10,000 real production actions.
A block isn't a dead end, either. The denial returns to Claude as a tool result with instructions to find a safer route — deny and continue, not deny and die. One false positive won't kill a two-hour refactor.
Claude Code permission modes, compared
Auto mode makes the most sense next to its siblings. Claude Code ships six permission modes, and each draws the oversight line in a different place:
| Mode | What runs without asking | Best for |
|---|---|---|
default | Reads only | Sensitive work, getting started |
acceptEdits (auto-accept) | Reads, file edits, common filesystem commands | Iterating, reviewing via git diff after |
plan | Reads only — Claude proposes, never edits | Scoping work before changing anything |
auto | Everything, behind classifier checks | Long tasks, ending prompt fatigue |
dontAsk | Only pre-approved tools; the rest auto-denied | Locked-down CI |
bypassPermissions | Everything, no checks at all | Isolated containers and VMs only |
Two of these get confused constantly. The auto-accept mode Claude Code veterans toggle by habit (acceptEdits) only waves through file edits inside your working directory plus basic filesystem commands; real shell work still prompts. Claude automode waves through everything — edits, commands, network calls — and substitutes the classifier for you. Plan mode sits at the opposite pole: research and propose, touch nothing. We covered it in our Claude planner guide, and the two pair beautifully — approving a finished plan now offers "approve and start in auto mode" as one of the exits. Deliberate planning, autonomous execution.
bypassPermissions (the --dangerously-skip-permissions flag) deserves its own warning: no prompts, no classifier, no safety net. Anthropic's docs are blunt that it belongs only in isolated containers, and they now point people to auto mode as the sane alternative.
How to turn on Claude automode
In the terminal, press Shift+Tab to cycle modes — default → accept edits → plan — with auto slotting in last once your account qualifies. The status bar shows the active mode — and a customized Claude Code statusline can surface the model and running cost right beside it. For unattended runs, the same --permission-mode flag works with headless -p sessions.
Eligibility has three parts, and all must hold:
- Version. Claude Code v2.1.83 or later.
- Plan. Every plan tier qualifies, but on Team and Enterprise an Owner has to enable auto mode in admin settings before anyone sees it.
- Model. Claude Opus 4.6 or later, or Claude Sonnet 4.6 or later, on the Anthropic API. On Amazon Bedrock, Google Cloud Vertex AI, or Microsoft Foundry, only Claude Sonnet 5, Claude Opus 4.7, and Claude Opus 4.8 qualify — and you must also set
CLAUDE_CODE_ENABLE_AUTO_MODE=1.
In VS Code, click the mode indicator at the bottom of the prompt box. On Claude Code Desktop, auto appears in the mode selector only after you switch it on in Desktop settings. The full flag and settings reference lives in our Claude Code CLI documentation guide.
Want it as your default? Set "permissions": {"defaultMode": "auto"} in ~/.claude/settings.json — your user file specifically. Since v2.1.142, Claude Code ignores defaultMode: "auto" in a project's .claude/settings.json, a deliberate wrinkle that stops a cloned repository from quietly granting itself autonomy.
What the classifier blocks — and what sails through
Run claude auto-mode defaults and Claude Code prints its complete rule list — 20-plus block rules out of the box. The shape of it:
| Action | Default verdict |
|---|---|
| Editing files in your working directory | Allowed |
| Installing dependencies declared in your lockfile | Allowed |
| Read-only HTTP requests | Allowed |
| Pushing to the branch you started on | Allowed |
Downloading and executing code (curl piped to bash) | Blocked |
Force-pushing, or pushing directly to main | Blocked |
Production deploys, migrations, terraform destroy | Blocked |
git reset --hard and friends that discard uncommitted work | Blocked |
| Sending sensitive data to external endpoints | Blocked |
Beyond the static rules, the classifier honors boundaries you state in conversation. Tell Claude "don't push until I've reviewed" and pushes get blocked even where the defaults would allow them — until you explicitly lift the boundary in a later message. One caveat we learned firsthand: boundaries live in the transcript, so context compaction can silently erase them. For a hard guarantee, write a deny rule instead.
When blocks pile up — 3 consecutive denials, or 20 total in a session — auto mode pauses and Claude Code falls back to prompting you; approve the action and autonomy resumes. Repeated blocks usually mean the classifier doesn't recognize your infrastructure, and an administrator can fix that by listing trusted repos, buckets, and domains — including the endpoints your connected MCP servers reach — in the autoMode.environment setting.
When to trust Claude automode — and when not to
Our rule after months of daily use: hand Claude automode any task where git can undo the damage and tests can catch it. Everything else stays supervised.
| Situation | Auto mode? | Why |
|---|---|---|
| Refactor backed by a solid test suite | Yes | Failures surface fast; git reverts the rest |
| Long codemod or migration across many files | Yes | The exact prompt-fatigue case the mode was built for |
| Feature work on a branch, committing often | Yes | Blast radius is one branch |
| Anything touching production infrastructure | No | The classifier blocks the obvious; "obvious" is not a guarantee |
| A directory with no version control | No | Nothing to diff, nothing to revert |
| Work near live credentials or customer data | No | Anthropic's tests still missed 5.7% of synthetic exfiltration attempts |
Anthropic's framing matches that caution: auto mode is a research preview that "reduces permission prompts but does not guarantee safety," and the docs recommend keeping it away from sensitive operations. Concretely, the classifier missed 17% of a set of real overeager actions in testing — good odds, not certainty. Our own split: content pipelines, refactors, and test-writing for this site run in auto mode daily — often fanned out across parallel subagents; anything touching deploy configuration runs in default mode with our eyes on every prompt.
Guardrails worth setting before you switch
Claude automode is not all-or-nothing. Five things we set up before trusting it:
- Deny and ask rules run first. They resolve before the classifier ever sees an action, in every mode. Deny writes to your secrets directory once, and no mode change reopens them.
- Keep allowlists narrow. Entering auto mode drops blanket rules like
Bash(*)and wildcarded interpreters by design; precise rules likeBash(npm test)carry over and skip the classifier round-trip. - Hooks are programmable vetoes. A PreToolUse hook can inspect any pending tool call and block it with your own logic — the classifier never gets a vote.
- Protected paths stay protected. Writes to
.git,.claude, shell profiles, and similar config are never blanket-approved; in auto mode they route to the classifier instead. - Budget for the overhead. Classifier calls count toward your token usage and add a round-trip before execution. Reads and working-directory edits skip the check, so the cost concentrates on shell commands and network operations.
Set those up and Claude automode becomes what it promises: long stretches of unattended, useful work with a tripwire under it.
Claude pricing at a glance
| Plan | Price |
|---|---|
| Free | $0 |
| Pro | $20 / month |
| Max | from $100 / month |
| API | Pay per token |
For the full breakdown of every plan, see our how much Claude costs guide.
Frequently Asked Questions

Written by
InnovateTechie
Writing about Claude and the Anthropic toolkit — models, Claude Code, pricing, features, and fixes, in clear, practical, hands-on guides tested by daily use.
View all posts →





