Documentation — Spybara

cli-reference.md +2 −2

Details

5## CLI commands5## CLI commands

6 6

~~8| :------------------------------ | :--------------------------------------------- | :------------------------------------------------ |~~8| :------------------------------ | :----------------------------------------------------- | :------------------------------------------------ |

common-workflows.md +1 −1

Details

635 Tips:635 Tips:

636 636

637 * **Name sessions early**: Use `/rename` when starting work on a distinct task—it's much easier to find "payment-integration" than "explain this function" later637 * **Name sessions early**: Use `/rename` when starting work on a distinct task—it's much easier to find "payment-integration" than "explain this function" later

638 * Use `--continue` for quick access to your most recent conversation638 * Use `--continue` for quick access to your most recent conversation in the current directory

639 * Use `--resume session-name` when you know which session you need639 * Use `--resume session-name` when you know which session you need

640 * Use `--resume` (without a name) when you need to browse and select640 * Use `--resume` (without a name) when you need to browse and select

641 * For scripts, use `claude --continue --print "prompt"` to resume in non-interactive mode641 * For scripts, use `claude --continue --print "prompt"` to resume in non-interactive mode

data-usage.md +11 −20

Details

7### Data training policy7### Data training policy

8 8

9**Consumer users (Free, Pro, and Max plans)**:9**Consumer users (Free, Pro, and Max plans)**:

~~10Starting August 28, 2025, we're giving you the choice to allow your data to be used to improve future Claude models.~~10We give you the choice to allow your data to be used to improve future Claude models. We will train new models using data from Free, Pro, and Max accounts when this setting is on (including when you use Claude Code from these accounts).

~~12We will train new models using data from Free, Pro, and Max accounts when this setting is on (including when you use Claude Code from these accounts).~~

~~14* If you're a current user, you can select your preference now and your selection will immediately go into effect.~~

~~15 This setting will only apply to new or resumed chats and coding sessions on Claude. Previous chats with no additional activity will not be used for model training.~~

~~16* You have until October 8, 2025 to make your selection.~~

~~17 If you're a new user, you can pick your setting for model training during the signup process.~~

~~18 You can change your selection at any time in your Privacy Settings.~~

19 11

20**Commercial users**: (Team and Enterprise plans, API, 3rd-party platforms, and Claude Gov) maintain existing policies: Anthropic does not train generative models using code or prompts sent to Claude Code under commercial terms, unless the customer has chosen to provide their data to us for model improvement (for example, the [Developer Partner Program](https://support.claude.com/en/articles/11174108-about-the-development-partner-program)).12**Commercial users**: (Team and Enterprise plans, API, 3rd-party platforms, and Claude Gov) maintain existing policies: Anthropic does not train generative models using code or prompts sent to Claude Code under commercial terms, unless the customer has chosen to provide their data to us for model improvement (for example, the [Developer Partner Program](https://support.claude.com/en/articles/11174108-about-the-development-partner-program)).

21 13

51 43

52For full details, please review our [Commercial Terms of Service](https://www.anthropic.com/legal/commercial-terms) (for Team, Enterprise, and API users) or [Consumer Terms](https://www.anthropic.com/legal/consumer-terms) (for Free, Pro, and Max users) and [Privacy Policy](https://www.anthropic.com/legal/privacy).44For full details, please review our [Commercial Terms of Service](https://www.anthropic.com/legal/commercial-terms) (for Team, Enterprise, and API users) or [Consumer Terms](https://www.anthropic.com/legal/consumer-terms) (for Free, Pro, and Max users) and [Privacy Policy](https://www.anthropic.com/legal/privacy).

53 45

~~54## Data flow and dependencies~~46## Data access

48For all first party users, you can learn more about what data is logged for [local Claude Code](#local-claude-code-data-flow-and-dependencies) and [remote Claude Code](#cloud-execution-data-flow-and-dependencies). Note for remote Claude Code, Claude accesses the repository where you initiate your Claude Code session. Claude does not access repositories that you have connected but have not started a session in.

50## Local Claude Code: Data flow and dependencies

55 51

56The diagram below shows how Claude Code connects to external services during installation and normal operation. Solid lines indicate required connections, while dashed lines represent optional or user-initiated data flows.52The diagram below shows how Claude Code connects to external services during installation and normal operation. Solid lines indicate required connections, while dashed lines represent optional or user-initiated data flows.

57 53

61 57

62Claude Code is built on Anthropic's APIs. For details regarding our API's security controls, including our API logging procedures, please refer to compliance artifacts offered in the [Anthropic Trust Center](https://trust.anthropic.com).58Claude Code is built on Anthropic's APIs. For details regarding our API's security controls, including our API logging procedures, please refer to compliance artifacts offered in the [Anthropic Trust Center](https://trust.anthropic.com).

63 59

~~64### Cloud execution~~60### Cloud execution: Data flow and dependencies

~~66<Note>~~

~~67 The above data flow diagram and description applies to Claude Code CLI running locally on your machine. For cloud-based sessions using Claude Code on the web, see the section below.~~

~~68</Note>~~

69 61

70When using [Claude Code on the web](/en/claude-code-on-the-web), sessions run in Anthropic-managed virtual machines instead of locally. In cloud environments:62When using [Claude Code on the web](/en/claude-code-on-the-web), sessions run in Anthropic-managed virtual machines instead of locally. In cloud environments:

71 63

~~72* **Code storage**: Your repository is cloned to an isolated VM and automatically deleted after session completion~~64* **Code and data storage:** Your repository is cloned to an isolated VM. Code and session data are subject to the retention and usage policies for your account type (see Data retention section above)

~~73* **Credentials**: GitHub authentication is handled through a secure proxy; your GitHub credentials never enter the sandbox~~65* **Credentials:** GitHub authentication is handled through a secure proxy; your GitHub credentials never enter the sandbox

~~74* **Network traffic**: All outbound traffic goes through a security proxy for audit logging and abuse prevention~~66* **Network traffic:** All outbound traffic goes through a security proxy for audit logging and abuse prevention

~~75* **Data retention**: Code and session data are subject to the retention and usage policies for your account type~~67* **Session data:** Prompts, code changes, and outputs follow the same data policies as local Claude Code usage

~~76* **Session data**: Prompts, code changes, and outputs follow the same data policies as local Claude Code usage~~

77 68

78For security details about cloud execution, see [Security](/en/security#cloud-execution-security).69For security details about cloud execution, see [Security](/en/security#cloud-execution-security).

79 70

desktop.md +1 −1

Details

53 53

54### Launch Claude Code on the web54### Launch Claude Code on the web

55 55

~~56From the desktop app, you can kick off Claude Code sessions that run on Anthropic's secure cloud infrastructure. This is useful for:~~56From the desktop app, you can kick off Claude Code sessions that run on Anthropic's secure cloud infrastructure.

57 57

58To start a web session from desktop, select a remote environment when creating a new session.58To start a web session from desktop, select a remote environment when creating a new session.

59 59

discover-plugins.md +10 −1

Details

230* **Project scope**: install for all collaborators on this repository (adds to `.claude/settings.json`)230* **Project scope**: install for all collaborators on this repository (adds to `.claude/settings.json`)

231* **Local scope**: install for yourself in this repository only (not shared with collaborators)231* **Local scope**: install for yourself in this repository only (not shared with collaborators)

232 232

233You may also see plugins with **managed** scope—these are installed by enterprise administrators via [managed settings](/en/settings#enterprise-managed-policy-settings) and cannot be modified.233You may also see plugins with **managed** scope—these are installed by administrators via [managed settings](/en/settings#settings-files) and cannot be modified.

234 234

235Run `/plugin` and go to the **Installed** tab to see your plugins grouped by scope.235Run `/plugin` and go to the **Installed** tab to see your plugins grouped by scope.

236 236

323 323

324To disable all automatic updates entirely for both Claude Code and all plugins, set the `DISABLE_AUTOUPDATER` environment variable. See [Auto updates](/en/setup#auto-updates) for details.324To disable all automatic updates entirely for both Claude Code and all plugins, set the `DISABLE_AUTOUPDATER` environment variable. See [Auto updates](/en/setup#auto-updates) for details.

325 325

326To keep plugin auto-updates enabled while disabling Claude Code auto-updates, set `FORCE_AUTOUPDATE_PLUGINS=true` along with `DISABLE_AUTOUPDATER`:

327

328```shell theme={null}

329export DISABLE_AUTOUPDATER=true

330export FORCE_AUTOUPDATE_PLUGINS=true

331```

332

333This is useful when you want to manage Claude Code updates manually but still receive automatic plugin updates.

334

326## Configure team marketplaces335## Configure team marketplaces

327 336

328Team admins can set up automatic marketplace installation for projects by adding marketplace configuration to `.claude/settings.json`. When team members trust the repository folder, Claude Code prompts them to install these marketplaces and plugins.337Team admins can set up automatic marketplace installation for projects by adding marketplace configuration to `.claude/settings.json`. When team members trust the repository folder, Claude Code prompts them to install these marketplaces and plugins.

hooks.md +1 −1

Details

13* `~/.claude/settings.json` - User settings13* `~/.claude/settings.json` - User settings

14* `.claude/settings.json` - Project settings14* `.claude/settings.json` - Project settings

15* `.claude/settings.local.json` - Local project settings (not committed)15* `.claude/settings.local.json` - Local project settings (not committed)

~~16* Enterprise managed policy settings~~16* Managed policy settings

17 17

18<Note>18<Note>

19 Enterprise administrators can use `allowManagedHooksOnly` to block user, project, and plugin hooks. See [Hook configuration](/en/settings#hook-configuration).19 Enterprise administrators can use `allowManagedHooksOnly` to block user, project, and plugin hooks. See [Hook configuration](/en/settings#hook-configuration).

iam.md +7 −10

Details

155 155

156[Claude Code hooks](/en/hooks-guide) provide a way to register custom shell commands to perform permission evaluation at runtime. When Claude Code makes a tool call, PreToolUse hooks run before the permission system runs, and the hook output can determine whether to approve or deny the tool call in place of the permission system.156[Claude Code hooks](/en/hooks-guide) provide a way to register custom shell commands to perform permission evaluation at runtime. When Claude Code makes a tool call, PreToolUse hooks run before the permission system runs, and the hook output can determine whether to approve or deny the tool call in place of the permission system.

157 157

158### Enterprise managed settings158### Managed settings

159 159

160For enterprise deployments of Claude Code, administrators can configure and distribute settings to their organization through the [Claude.ai admin console](https://claude.ai/admin-settings/claude-code). These settings are fetched automatically when users authenticate and cannot be overridden locally. This feature is available to Claude for Enterprise customers. If you don't see this option in your admin console, contact your Anthropic account team to have the feature enabled.160For organizations that need centralized control over Claude Code configuration, administrators can deploy `managed-settings.json` files to [system directories](/en/settings#settings-files). These policy files follow the same format as regular settings files and cannot be overridden by user or project settings.

~~161~~

162For organizations that prefer file-based policy distribution, Claude Code also supports `managed-settings.json` files that can be deployed to [system directories](/en/settings#settings-files). These policy files follow the same format as regular settings files and cannot be overridden by user or project settings.

163 161

164### Settings precedence162### Settings precedence

165 163

166When multiple settings sources exist, they are applied in the following order (highest to lowest precedence):164When multiple settings sources exist, they are applied in the following order (highest to lowest precedence):

167 165

1681. Managed settings (via Claude.ai admin console)1661. Managed settings (`managed-settings.json`)

1692. File-based managed settings (`managed-settings.json`)1672. Command line arguments

1703. Command line arguments1683. Local project settings (`.claude/settings.local.json`)

1714. Local project settings (`.claude/settings.local.json`)1694. Shared project settings (`.claude/settings.json`)

1725. Shared project settings (`.claude/settings.json`)1705. User settings (`~/.claude/settings.json`)

1736. User settings (`~/.claude/settings.json`)

174 171

175This hierarchy ensures that organizational policies are always enforced while still allowing flexibility at the project and user levels where appropriate.172This hierarchy ensures that organizational policies are always enforced while still allowing flexibility at the project and user levels where appropriate.

176 173

mcp.md +11 −10

Details

277 277

278```bash theme={null}278```bash theme={null}

279# Basic syntax279# Basic syntax

280claude mcp add --transport stdio <name> <command> [args...]280claude mcp add [options] <name> -- <command> [args...]

281 281

282# Real example: Add Airtable server282# Real example: Add Airtable server

283claude mcp add --transport stdio airtable --env AIRTABLE_API_KEY=YOUR_KEY \283claude mcp add --transport stdio --env AIRTABLE_API_KEY=YOUR_KEY airtable \

284 -- npx -y airtable-mcp-server284 -- npx -y airtable-mcp-server

285```285```

286 286

287<Note>287<Note>

288 **Understanding the "--" parameter:**288 **Important: Option ordering**

289 The `--` (double dash) separates Claude's own CLI flags from the command and arguments that get passed to the MCP server. Everything before `--` are options for Claude (like `--env`, `--scope`), and everything after `--` is the actual command to run the MCP server.289

290 All options (`--transport`, `--env`, `--scope`, `--header`) must come **before** the server name. The `--` (double dash) then separates the server name from the command and arguments that get passed to the MCP server.

290 291

291 For example:292 For example:

292 293

293 * `claude mcp add --transport stdio myserver -- npx server` → runs `npx server`294 * `claude mcp add --transport stdio myserver -- npx server` → runs `npx server`

294 * `claude mcp add --transport stdio myserver --env KEY=value -- python server.py --port 8080` → runs `python server.py --port 8080` with `KEY=value` in environment295 * `claude mcp add --transport stdio --env KEY=value myserver -- python server.py --port 8080` → runs `python server.py --port 8080` with `KEY=value` in environment

295 296

296 This prevents conflicts between Claude's flags and the server's flags.297 This prevents conflicts between Claude's flags and the server's flags.

297</Note>298</Note>

466 467

467 * **User and local scope**: `~/.claude.json` (in the `mcpServers` field or under project paths)468 * **User and local scope**: `~/.claude.json` (in the `mcpServers` field or under project paths)

468 * **Project scope**: `.mcp.json` in your project root (checked into source control)469 * **Project scope**: `.mcp.json` in your project root (checked into source control)

469 * **Enterprise managed**: `managed-mcp.json` in system directories (see [Enterprise MCP configuration](#enterprise-mcp-configuration))470 * **Managed**: `managed-mcp.json` in system directories (see [Managed MCP configuration](#managed-mcp-configuration))

470</Note>471</Note>

471 472

472### Scope hierarchy and precedence473### Scope hierarchy and precedence

831 * Server and prompt names are normalized (spaces become underscores)832 * Server and prompt names are normalized (spaces become underscores)

832</Tip>833</Tip>

833 834

834## Enterprise MCP configuration835## Managed MCP configuration

835 836

836For organizations that need centralized control over MCP servers, Claude Code supports two enterprise configuration options:837For organizations that need centralized control over MCP servers, Claude Code supports two configuration options:

837 838

8381. **Exclusive control with `managed-mcp.json`**: Deploy a fixed set of MCP servers that users cannot modify or extend8391. **Exclusive control with `managed-mcp.json`**: Deploy a fixed set of MCP servers that users cannot modify or extend

8392. **Policy-based control with allowlists/denylists**: Allow users to add their own servers, but restrict which ones are permitted8402. **Policy-based control with allowlists/denylists**: Allow users to add their own servers, but restrict which ones are permitted

1051 1052

1052#### Important notes1053#### Important notes

1053 1054

1054* **Option 1 and Option 2 can be combined**: If `managed-mcp.json` exists, it has exclusive control and users cannot add servers. Allowlists/denylists still apply to the enterprise servers themselves.1055* **Option 1 and Option 2 can be combined**: If `managed-mcp.json` exists, it has exclusive control and users cannot add servers. Allowlists/denylists still apply to the managed servers themselves.

1055* **Denylist takes absolute precedence**: If a server matches a denylist entry (by name, command, or URL), it will be blocked even if it's on the allowlist1056* **Denylist takes absolute precedence**: If a server matches a denylist entry (by name, command, or URL), it will be blocked even if it's on the allowlist

1056* Name-based, command-based, and URL-based restrictions work together: a server passes if it matches **either** a name entry, a command entry, or a URL pattern (unless blocked by denylist)1057* Name-based, command-based, and URL-based restrictions work together: a server passes if it matches **either** a name entry, a command entry, or a URL pattern (unless blocked by denylist)

1057 1058

1058<Note>1059<Note>

1059 **When using `managed-mcp.json`**: Users cannot add MCP servers through `claude mcp add` or configuration files. The `allowedMcpServers` and `deniedMcpServers` settings still apply to filter which enterprise servers are actually loaded.1060 **When using `managed-mcp.json`**: Users cannot add MCP servers through `claude mcp add` or configuration files. The `allowedMcpServers` and `deniedMcpServers` settings still apply to filter which managed servers are actually loaded.

1060</Note>1061</Note>

1061 1062

1062 1063

memory.md +2 −2

Details

198 198

199## Organization-level memory management199## Organization-level memory management

200 200

201Enterprise organizations can deploy centrally managed CLAUDE.md files that apply to all users.201Organizations can deploy centrally managed CLAUDE.md files that apply to all users.

202 202

203To set up organization-level memory management:203To set up organization-level memory management:

204 204

2051. Create the enterprise memory file at the **Enterprise policy** location shown in the [memory types table above](#determine-memory-type).2051. Create the managed memory file at the **Managed policy** location shown in the [memory types table above](#determine-memory-type).

206 206

2072. Deploy via your configuration management system (MDM, Group Policy, Ansible, etc.) to ensure consistent distribution across all developer machines.2072. Deploy via your configuration management system (MDM, Group Policy, Ansible, etc.) to ensure consistent distribution across all developer machines.

208 208

plugin-marketplaces.md +3 −3

Details

359 359

360For full configuration options, see [Plugin settings](/en/settings#plugin-settings).360For full configuration options, see [Plugin settings](/en/settings#plugin-settings).

361 361

362### Enterprise marketplace restrictions362### Managed marketplace restrictions

363 363

364For organizations requiring strict control over plugin sources, enterprise administrators can restrict which plugin marketplaces users are allowed to add using the [`strictKnownMarketplaces`](/en/settings#strictknownmarketplaces) setting in managed settings.364For organizations requiring strict control over plugin sources, administrators can restrict which plugin marketplaces users are allowed to add using the [`strictKnownMarketplaces`](/en/settings#strictknownmarketplaces) setting in managed settings.

365 365

366When `strictKnownMarketplaces` is configured in managed settings, the restriction behavior depends on the value:366When `strictKnownMarketplaces` is configured in managed settings, the restriction behavior depends on the value:

367 367

503* [Plugins](/en/plugins) - Creating your own plugins503* [Plugins](/en/plugins) - Creating your own plugins

504* [Plugins reference](/en/plugins-reference) - Complete technical specifications and schemas504* [Plugins reference](/en/plugins-reference) - Complete technical specifications and schemas

505* [Plugin settings](/en/settings#plugin-settings) - Plugin configuration options505* [Plugin settings](/en/settings#plugin-settings) - Plugin configuration options

506* [strictKnownMarketplaces reference](/en/settings#strictknownmarketplaces) - Enterprise marketplace restrictions506* [strictKnownMarketplaces reference](/en/settings#strictknownmarketplaces) - Managed marketplace restrictions

507 507

508 508

509---509---

plugins-reference.md +1 −1

Details

295 295

296Plugins use the same scope system as other Claude Code configurations. For installation instructions and scope flags, see [Install plugins](/en/discover-plugins#install-plugins). For a complete explanation of scopes, see [Configuration scopes](/en/settings#configuration-scopes).296Plugins use the same scope system as other Claude Code configurations. For installation instructions and scope flags, see [Install plugins](/en/discover-plugins#install-plugins). For a complete explanation of scopes, see [Configuration scopes](/en/settings#configuration-scopes).

297 297

quickstart.md +7 −7

Details

20 <Tab title="Native Install (Recommended)">20 <Tab title="Native Install (Recommended)">

21 **macOS, Linux, WSL:**21 **macOS, Linux, WSL:**

22 22

~~23 ```bash theme={null}~~23 ```bash theme={null} theme={null}

24 curl -fsSL https://claude.ai/install.sh | bash24 curl -fsSL https://claude.ai/install.sh | bash

25 ```25 ```

26 26

27 **Windows PowerShell:**27 **Windows PowerShell:**

28 28

~~29 ```powershell theme={null}~~29 ```powershell theme={null} theme={null}

30 irm https://claude.ai/install.ps1 | iex30 irm https://claude.ai/install.ps1 | iex

31 ```31 ```

32 32

33 **Windows CMD:**33 **Windows CMD:**

34 34

~~35 ```batch theme={null}~~35 ```batch theme={null} theme={null}

36 curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd36 curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd

37 ```37 ```

38 </Tab>38 </Tab>

39 39

40 <Tab title="Homebrew">40 <Tab title="Homebrew">

~~41 ```sh theme={null}~~41 ```sh theme={null} theme={null}

42 brew install --cask claude-code42 brew install --cask claude-code

43 ```43 ```

44 </Tab>44 </Tab>

46 <Tab title="NPM">46 <Tab title="NPM">

47 If you have [Node.js 18 or newer installed](https://nodejs.org/en/download/):47 If you have [Node.js 18 or newer installed](https://nodejs.org/en/download/):

48 48

~~49 ```sh theme={null}~~49 ```sh theme={null} theme={null}

50 npm install -g @anthropic-ai/claude-code50 npm install -g @anthropic-ai/claude-code

51 ```51 ```

52 </Tab>52 </Tab>

241Here are the most important commands for daily use:241Here are the most important commands for daily use:

242 242

244| ------------------- | --------------------------------- | ----------------------------------- |244| ------------------- | ------------------------------------------------------ | ----------------------------------- |

security.md +1 −1

Details

113 113

114### Team security114### Team security

115 115

116* Use [enterprise managed settings](/en/iam#enterprise-managed-settings) to enforce organizational standards116* Use [managed settings](/en/iam#managed-settings) to enforce organizational standards

117* Share approved permission configurations through version control117* Share approved permission configurations through version control

118* Train team members on security best practices118* Train team members on security best practices

119* Monitor Claude Code usage through [OpenTelemetry metrics](/en/monitoring-usage)119* Monitor Claude Code usage through [OpenTelemetry metrics](/en/monitoring-usage)

settings.md +30 −38

Details

11### Available scopes11### Available scopes

12 12

~~14| :------------- | :----------------------------------- | :----------------------------------- | :--------------------- |~~14| :---------- | :----------------------------------- | :----------------------------------- | :--------------------- |

16| **User** | `~/.claude/` directory | You, across all projects | No |16| **User** | `~/.claude/` directory | You, across all projects | No |

18| **Local** | `.claude/*.local.*` files | You, in this repository only | No (gitignored) |18| **Local** | `.claude/*.local.*` files | You, in this repository only | No (gitignored) |

19 19

20### When to use each scope20### When to use each scope

21 21

~~22**Enterprise scope** is for:~~22**Managed scope** is for:

23 23

24* Security policies that must be enforced organization-wide24* Security policies that must be enforced organization-wide

25* Compliance requirements that can't be overridden25* Compliance requirements that can't be overridden

47 47

48When the same setting is configured in multiple scopes, more specific scopes take precedence:48When the same setting is configured in multiple scopes, more specific scopes take precedence:

49 49

~~501. **Enterprise** (highest) - can't be overridden by anything~~501. **Managed** (highest) - can't be overridden by anything

512. **Command line arguments** - temporary session overrides512. **Command line arguments** - temporary session overrides

523. **Local** - overrides project and user settings523. **Local** - overrides project and user settings

534. **Project** - overrides user settings534. **Project** - overrides user settings

79* **Project settings** are saved in your project directory:79* **Project settings** are saved in your project directory:

80 * `.claude/settings.json` for settings that are checked into source control and shared with your team80 * `.claude/settings.json` for settings that are checked into source control and shared with your team

81 * `.claude/settings.local.json` for settings that are not checked in, useful for personal preferences and experimentation. Claude Code will configure git to ignore `.claude/settings.local.json` when it is created.81 * `.claude/settings.local.json` for settings that are not checked in, useful for personal preferences and experimentation. Claude Code will configure git to ignore `.claude/settings.local.json` when it is created.

82* **Managed settings** (Enterprise): Enterprise administrators can configure and distribute Claude Code settings to their organization through the [Claude.ai admin console](https://claude.ai/admin-settings/claude-code). These settings are fetched automatically when users authenticate, take precedence over user and project settings, and cannot be overridden locally. This feature is available to Claude for Enterprise customers. If you don't see this option in your admin console, contact your Anthropic account team to have the feature enabled.82* **Managed settings**: For organizations that need centralized control, Claude Code supports `managed-settings.json` and `managed-mcp.json` files that can be deployed to system directories:

~~84 For organizations that prefer file-based policy distribution, Claude Code also supports `managed-settings.json` and `managed-mcp.json` files that can be deployed to system directories:~~

85 83

86 * macOS: `/Library/Application Support/ClaudeCode/`84 * macOS: `/Library/Application Support/ClaudeCode/`

87 * Linux and WSL: `/etc/claude-code/`85 * Linux and WSL: `/etc/claude-code/`

91 These are system-wide paths (not user home directories like `~/Library/...`) that require administrator privileges. They are designed to be deployed by IT administrators.89 These are system-wide paths (not user home directories like `~/Library/...`) that require administrator privileges. They are designed to be deployed by IT administrators.

92 </Note>90 </Note>

93 91

~~94 See [Enterprise managed settings](/en/iam#enterprise-managed-settings) and [Enterprise MCP configuration](/en/mcp#enterprise-mcp-configuration) for details.~~92 See [Managed settings](/en/iam#managed-settings) and [Managed MCP configuration](/en/mcp#managed-mcp-configuration) for details.

95 93

96 <Note>94 <Note>

~~97 Enterprise deployments can also restrict **plugin marketplace additions** using~~95 Managed deployments can also restrict **plugin marketplace additions** using

~~98 `strictKnownMarketplaces`. For more information, see [Enterprise marketplace restrictions](/en/plugin-marketplaces#enterprise-marketplace-restrictions).~~96 `strictKnownMarketplaces`. For more information, see [Managed marketplace restrictions](/en/plugin-marketplaces#managed-marketplace-restrictions).

99 </Note>97 </Note>

100* **Other configuration** is stored in `~/.claude.json`. This file contains your preferences (theme, notification settings, editor mode), OAuth session, [MCP server](/en/mcp) configurations for user and local scopes, per-project state (allowed tools, trust settings), and various caches. Project-scoped MCP servers are stored separately in `.mcp.json`.98* **Other configuration** is stored in `~/.claude.json`. This file contains your preferences (theme, notification settings, editor mode), OAuth session, [MCP server](/en/mcp) configurations for user and local scopes, per-project state (allowed tools, trust settings), and various caches. Project-scoped MCP servers are stored separately in `.mcp.json`.

101 99

131`settings.json` supports a number of options:129`settings.json` supports a number of options:

132 130

133| Key | Description | Example |131| Key | Description | Example |

134| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :---------------------------------------------------------------------- |132| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :---------------------------------------------------------------------- |

135| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |133| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |

136| `cleanupPeriodDays` | Sessions inactive for longer than this period are deleted at startup. Setting to `0` immediately deletes all sessions. (default: 30 days) | `20` |134| `cleanupPeriodDays` | Sessions inactive for longer than this period are deleted at startup. Setting to `0` immediately deletes all sessions. (default: 30 days) | `20` |

137| `companyAnnouncements` | Announcement to display to users at startup. If multiple announcements are provided, they will be cycled through at random. | `["Welcome to Acme Corp! Review our code guidelines at docs.acme.com"]` |135| `companyAnnouncements` | Announcement to display to users at startup. If multiple announcements are provided, they will be cycled through at random. | `["Welcome to Acme Corp! Review our code guidelines at docs.acme.com"]` |

142| `hooks` | Configure custom commands to run before or after tool executions. See [hooks documentation](/en/hooks) | `{"PreToolUse": {"Bash": "echo 'Running command...'"}}` |140| `hooks` | Configure custom commands to run before or after tool executions. See [hooks documentation](/en/hooks) | `{"PreToolUse": {"Bash": "echo 'Running command...'"}}` |

144| `allowManagedHooksOnly` | (Enterprise) Prevent loading of user, project, and plugin hooks. Only allows managed hooks and SDK hooks. See [Hook configuration](#hook-configuration) | `true` |142| `allowManagedHooksOnly` | (Managed settings only) Prevent loading of user, project, and plugin hooks. Only allows managed hooks and SDK hooks. See [Hook configuration](#hook-configuration) | `true` |

146| `otelHeadersHelper` | Script to generate dynamic OpenTelemetry headers. Runs at startup and periodically (see [Dynamic headers](/en/monitoring-usage#dynamic-headers)) | `/bin/generate_otel_headers.sh` |144| `otelHeadersHelper` | Script to generate dynamic OpenTelemetry headers. Runs at startup and periodically (see [Dynamic headers](/en/monitoring-usage#dynamic-headers)) | `/bin/generate_otel_headers.sh` |

147| `statusLine` | Configure a custom status line to display context. See [`statusLine` documentation](/en/statusline) | `{"type": "command", "command": "~/.claude/statusline.sh"}` |145| `statusLine` | Configure a custom status line to display context. See [`statusLine` documentation](/en/statusline) | `{"type": "command", "command": "~/.claude/statusline.sh"}` |

155| `allowedMcpServers` | When set in managed-settings.json, allowlist of MCP servers users can configure. Undefined = no restrictions, empty array = lockdown. Applies to all scopes. Denylist takes precedence. See [Enterprise MCP configuration](/en/mcp#enterprise-mcp-configuration) | `[{ "serverName": "github" }]` |153| `allowedMcpServers` | When set in managed-settings.json, allowlist of MCP servers users can configure. Undefined = no restrictions, empty array = lockdown. Applies to all scopes. Denylist takes precedence. See [Managed MCP configuration](/en/mcp#managed-mcp-configuration) | `[{ "serverName": "github" }]` |

156| `deniedMcpServers` | When set in managed-settings.json, denylist of MCP servers that are explicitly blocked. Applies to all scopes including enterprise servers. Denylist takes precedence over allowlist. See [Enterprise MCP configuration](/en/mcp#enterprise-mcp-configuration) | `[{ "serverName": "filesystem" }]` |154| `deniedMcpServers` | When set in managed-settings.json, denylist of MCP servers that are explicitly blocked. Applies to all scopes including managed servers. Denylist takes precedence over allowlist. See [Managed MCP configuration](/en/mcp#managed-mcp-configuration) | `[{ "serverName": "filesystem" }]` |

157| `strictKnownMarketplaces` | When set in managed-settings.json, allowlist of plugin marketplaces users can add. Undefined = no restrictions, empty array = lockdown. Applies to marketplace additions only. See [Enterprise marketplace restrictions](/en/plugin-marketplaces#enterprise-marketplace-restrictions) | `[{ "source": "github", "repo": "acme-corp/plugins" }]` |155| `strictKnownMarketplaces` | When set in managed-settings.json, allowlist of plugin marketplaces users can add. Undefined = no restrictions, empty array = lockdown. Applies to marketplace additions only. See [Managed marketplace restrictions](/en/plugin-marketplaces#managed-marketplace-restrictions) | `[{ "source": "github", "repo": "acme-corp/plugins" }]` |

158| `awsAuthRefresh` | Custom script that modifies the `.aws` directory (see [advanced credential configuration](/en/amazon-bedrock#advanced-credential-configuration)) | `aws sso login --profile myprofile` |156| `awsAuthRefresh` | Custom script that modifies the `.aws` directory (see [advanced credential configuration](/en/amazon-bedrock#advanced-credential-configuration)) | `aws sso login --profile myprofile` |

159| `awsCredentialExport` | Custom script that outputs JSON with AWS credentials (see [advanced credential configuration](/en/amazon-bedrock#advanced-credential-configuration)) | `/bin/generate_aws_grant.sh` |157| `awsCredentialExport` | Custom script that outputs JSON with AWS credentials (see [advanced credential configuration](/en/amazon-bedrock#advanced-credential-configuration)) | `/bin/generate_aws_grant.sh` |

160| `alwaysThinkingEnabled` | Enable [extended thinking](/en/common-workflows#use-extended-thinking) by default for all sessions. Typically configured via the `/config` command rather than editing directly | `true` |158| `alwaysThinkingEnabled` | Enable [extended thinking](/en/common-workflows#use-extended-thinking) by default for all sessions. Typically configured via the `/config` command rather than editing directly | `true` |

168| `deny` | Array of [permission rules](/en/iam#configuring-permissions) to deny tool use. Use this to also exclude sensitive files from Claude Code access. **Note:** Bash patterns are prefix matches and can be bypassed (see [Bash permission limitations](/en/iam#tool-specific-permission-rules)) | `[ "WebFetch", "Bash(curl:*)", "Read(./.env)", "Read(./secrets/**)" ]` |166| `deny` | Array of [permission rules](/en/iam#configuring-permissions) to deny tool use. Use this to also exclude sensitive files from Claude Code access. **Note:** Bash patterns are prefix matches and can be bypassed (see [Bash permission limitations](/en/iam#tool-specific-permission-rules)) | `[ "WebFetch", "Bash(curl:*)", "Read(./.env)", "Read(./secrets/**)" ]` |

171| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. This disables the `--dangerously-skip-permissions` command-line flag. See [managed settings](/en/iam#enterprise-managed-settings) | `"disable"` |169| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. This disables the `--dangerously-skip-permissions` command-line flag. See [managed settings](/en/iam#managed-settings) | `"disable"` |

172 170

173### Sandbox settings171### Sandbox settings

174 172

297 295

298### Hook configuration296### Hook configuration

299 297

300**Enterprise-only setting**: Controls which hooks are allowed to run. This setting can only be configured in [managed settings](#settings-files) and provides enterprise administrators with strict control over hook execution.298**Managed settings only**: Controls which hooks are allowed to run. This setting can only be configured in [managed settings](#settings-files) and provides administrators with strict control over hook execution.

301 299

302**Behavior when `allowManagedHooksOnly` is `true`:**300**Behavior when `allowManagedHooksOnly` is `true`:**

303 301

316 314

317Settings apply in order of precedence. From highest to lowest:315Settings apply in order of precedence. From highest to lowest:

318 316

3191. **Managed settings** (Enterprise)3171. **Managed settings** (`managed-settings.json`)

320 * Remote settings configured via the [Claude.ai admin console](https://claude.ai/admin-settings/claude-code)

321 * Fetched automatically when users authenticate

322 * Cannot be overridden

~~323~~

3242. **File-based managed settings** (`managed-settings.json`)

325 * Policies deployed by IT/DevOps to system directories318 * Policies deployed by IT/DevOps to system directories

326 * Cannot be overridden by user or project settings319 * Cannot be overridden by user or project settings

327 * Ignored when remote managed settings are configured

328 320

3293. **Command line arguments**3212. **Command line arguments**

330 * Temporary overrides for a specific session322 * Temporary overrides for a specific session

331 323

3324. **Local project settings** (`.claude/settings.local.json`)3243. **Local project settings** (`.claude/settings.local.json`)

333 * Personal project-specific settings325 * Personal project-specific settings

334 326

3355. **Shared project settings** (`.claude/settings.json`)3274. **Shared project settings** (`.claude/settings.json`)

336 * Team-shared project settings in source control328 * Team-shared project settings in source control

337 329

3386. **User settings** (`~/.claude/settings.json`)3305. **User settings** (`~/.claude/settings.json`)

339 * Personal global settings331 * Personal global settings

340 332

341This hierarchy ensures that enterprise security policies are always enforced while still allowing teams and individuals to customize their experience.333This hierarchy ensures that organizational policies are always enforced while still allowing teams and individuals to customize their experience.

342 334

343For example, if your user settings allow `Bash(npm run:*)` but a project's shared settings deny it, the project setting takes precedence and the command is blocked.335For example, if your user settings allow `Bash(npm run:*)` but a project's shared settings deny it, the project setting takes precedence and the command is blocked.

344 336

348* **Settings files (JSON)**: Configure permissions, environment variables, and tool behavior340* **Settings files (JSON)**: Configure permissions, environment variables, and tool behavior

349* **Slash commands**: Custom commands that can be invoked during a session with `/command-name`341* **Slash commands**: Custom commands that can be invoked during a session with `/command-name`

350* **MCP servers**: Extend Claude Code with additional tools and integrations342* **MCP servers**: Extend Claude Code with additional tools and integrations

351* **Precedence**: Higher-level configurations (Enterprise) override lower-level ones (User/Project)343* **Precedence**: Higher-level configurations (Managed) override lower-level ones (User/Project)

352* **Inheritance**: Settings are merged, with more specific settings adding to or overriding broader ones344* **Inheritance**: Settings are merged, with more specific settings adding to or overriding broader ones

353 345

354### System prompt346### System prompt

470 462

471#### `strictKnownMarketplaces`463#### `strictKnownMarketplaces`

472 464

473**Enterprise-only setting**: Controls which plugin marketplaces users are allowed to add. This setting can only be configured in [`managed-settings.json`](/en/iam#enterprise-managed-settings) and provides enterprise administrators with strict control over marketplace sources.465**Managed settings only**: Controls which plugin marketplaces users are allowed to add. This setting can only be configured in [`managed-settings.json`](/en/iam#managed-settings) and provides administrators with strict control over marketplace sources.

474 466

475**Managed settings file locations**:467**Managed settings file locations**:

476 468

477* **macOS**: `/Library/Application Support/ClaudeCode/managed-settings.json`469* **macOS**: `/Library/Application Support/ClaudeCode/managed-settings.json`

478* **Linux and WSL**: `/etc/claude-code/managed-settings.json`470* **Linux and WSL**: `/etc/claude-code/managed-settings.json`

479* **Windows**: `C:\ProgramData\ClaudeCode\managed-settings.json`471* **Windows**: `C:\Program Files\ClaudeCode\managed-settings.json`

480 472

481**Key characteristics**:473**Key characteristics**:

482 474

483* Only available in enterprise managed settings (`managed-settings.json`)475* Only available in managed settings (`managed-settings.json`)

484* Cannot be overridden by user or project settings (highest precedence)476* Cannot be overridden by user or project settings (highest precedence)

485* Enforced BEFORE network/filesystem operations (blocked sources never execute)477* Enforced BEFORE network/filesystem operations (blocked sources never execute)

486* Uses exact matching for source specifications (including `ref`, `path` for git sources)478* Uses exact matching for source specifications (including `ref`, `path` for git sources)

611 603

613| --------------------- | ------------------------------------ | ------------------------------------ |605| --------------------- | ------------------------------------ | ------------------------------------ |

646**Important notes**:638**Important notes**:

647 639

648* Restrictions are checked BEFORE any network requests or filesystem operations640* Restrictions are checked BEFORE any network requests or filesystem operations

649* When blocked, users see clear error messages indicating the source is blocked by enterprise policy641* When blocked, users see clear error messages indicating the source is blocked by managed policy

650* The restriction applies only to adding NEW marketplaces; previously installed marketplaces remain accessible642* The restriction applies only to adding NEW marketplaces; previously installed marketplaces remain accessible

651* Enterprise managed settings have the highest precedence and cannot be overridden643* Managed settings have the highest precedence and cannot be overridden

652 644

653See [Enterprise marketplace restrictions](/en/plugin-marketplaces#enterprise-marketplace-restrictions) for user-facing documentation.645See [Managed marketplace restrictions](/en/plugin-marketplaces#managed-marketplace-restrictions) for user-facing documentation.

654 646

655### Managing plugins647### Managing plugins

656 648

833## See also825## See also

834 826

835* [Identity and Access Management](/en/iam#configuring-permissions) - Learn about Claude Code's permission system827* [Identity and Access Management](/en/iam#configuring-permissions) - Learn about Claude Code's permission system

836* [IAM and access control](/en/iam#enterprise-managed-settings) - Enterprise policy management828* [IAM and access control](/en/iam#managed-settings) - Managed policy configuration

837* [Troubleshooting](/en/troubleshooting#auto-updater-issues) - Solutions for common configuration issues829* [Troubleshooting](/en/troubleshooting#auto-updater-issues) - Solutions for common configuration issues

838 830

839 831

skills.md +5 −5

Details

88 </Step>88 </Step>

89 89

90 <Step title="Activation">90 <Step title="Activation">

91 When your request matches a Skill's description, Claude asks to use the Skill. You'll see a confirmation prompt before the full `SKILL.md` is loaded into context. Claude matches requests against descriptions using semantic similarity, so [write descriptions](#skill-not-triggering) that include keywords users would naturally say.91 When your request matches a Skill's description, Claude asks to use the Skill. You'll see a confirmation prompt before the full `SKILL.md` is loaded into context. Since Claude reads these descriptions to find relevant Skills, [write descriptions](#skill-not-triggering) that include keywords users would naturally say.

92 </Step>92 </Step>

93 93

94 <Step title="Execution">94 <Step title="Execution">

101Where you store a Skill determines who can use it:101Where you store a Skill determines who can use it:

102 102

104| :--------- | :---------------------------------------------------------- | :-------------------------------- |104| :--------- | :----------------------------------------------- | :-------------------------------- |

109 109

110If two Skills have the same name, the higher row wins: enterprise overrides personal, personal overrides project, and project overrides plugin.110If two Skills have the same name, the higher row wins: managed overrides personal, personal overrides project, and project overrides plugin.

111 111

112### When to use Skills versus other options112### When to use Skills versus other options

113 113

286 286

287* **Project Skills**: Commit `.claude/skills/` to version control. Anyone who clones the repository gets the Skills.287* **Project Skills**: Commit `.claude/skills/` to version control. Anyone who clones the repository gets the Skills.

288* **Plugins**: To share Skills across multiple repositories, create a `skills/` directory in your [plugin](/en/plugins) with Skill folders containing `SKILL.md` files. Distribute through a [plugin marketplace](/en/plugin-marketplaces).288* **Plugins**: To share Skills across multiple repositories, create a `skills/` directory in your [plugin](/en/plugins) with Skill folders containing `SKILL.md` files. Distribute through a [plugin marketplace](/en/plugin-marketplaces).

289* **Enterprise**: Administrators can deploy Skills organization-wide through [managed settings](/en/iam#enterprise-managed-settings). See [Where Skills live](#where-skills-live) for enterprise Skill paths.289* **Managed**: Administrators can deploy Skills organization-wide through [managed settings](/en/iam#managed-settings). See [Where Skills live](#where-skills-live) for managed Skill paths.

290 290

291## Examples291## Examples

292 292

troubleshooting.md +5 −5

Details

167Claude Code stores configuration in several locations:167Claude Code stores configuration in several locations:

168 168

169| File | Purpose |169| File | Purpose |

170| :---------------------------- | :--------------------------------------------------------------------- |170| :---------------------------- | :------------------------------------------------------- |

178 178

179On Windows, `~` refers to your user home directory, such as `C:\Users\YourName`.179On Windows, `~` refers to your user home directory, such as `C:\Users\YourName`.

180 180

181**Enterprise managed file locations:**181**Managed file locations:**

182 182

183* macOS: `/Library/Application Support/ClaudeCode/`183* macOS: `/Library/Application Support/ClaudeCode/`

184* Linux/WSL: `/etc/claude-code/`184* Linux/WSL: `/etc/claude-code/`

185* Windows: `C:\ProgramData\ClaudeCode\`185* Windows: `C:\Program Files\ClaudeCode\`

186 186

187For details on configuring these files, see [Settings](/en/settings) and [MCP](/en/mcp).187For details on configuring these files, see [Settings](/en/settings) and [MCP](/en/mcp).

188 188

Documentation 2026-01-06 21:01 UTC to 2026-01-07 21:01 UTC