Documentation 2026-02-01 21:03 UTC to 2026-02-03 21:08 UTC

217 217 

218* [Monitoring with OpenTelemetry](/en/monitoring-usage): export real-time metrics and events to your observability stack218* [Monitoring with OpenTelemetry](/en/monitoring-usage): export real-time metrics and events to your observability stack

219* [Manage costs effectively](/en/costs): set spend limits and optimize token usage219* [Manage costs effectively](/en/costs): set spend limits and optimize token usage

220* [Identity and access management](/en/iam): configure roles and permissions220* [Permissions](/en/permissions): configure roles and permissions

1> ## Documentation Index

2> Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt

3> Use this file to discover all available pages before exploring further.

4 

5# Authentication

6 

7> Learn how to configure user authentication and credential management for Claude Code in your organization.

8 

9## Authentication methods

10 

11Setting up Claude Code requires access to Anthropic models. For teams, you can set up Claude Code access in one of these ways:

12 

13* [Claude for Teams or Enterprise](#claude-for-teams-or-enterprise) (recommended)

14* [Claude Console](#claude-console-authentication)

15* [Amazon Bedrock](/en/amazon-bedrock)

16* [Google Vertex AI](/en/google-vertex-ai)

17* [Microsoft Foundry](/en/microsoft-foundry)

18 

19### Claude for Teams or Enterprise

20 

21[Claude for Teams](https://claude.com/pricing#team-&-enterprise) and [Claude for Enterprise](https://anthropic.com/contact-sales) provide the best experience for organizations using Claude Code. Team members get access to both Claude Code and Claude on the web with centralized billing and team management.

22 

23* **Claude for Teams**: self-service plan with collaboration features, admin tools, and billing management. Best for smaller teams.

24* **Claude for Enterprise**: adds SSO, domain capture, role-based permissions, compliance API, and managed policy settings for organization-wide Claude Code configurations. Best for larger organizations with security and compliance requirements.

25 

26<Steps>

27 <Step title="Subscribe">

28 Subscribe to [Claude for Teams](https://claude.com/pricing#team-&-enterprise) or contact sales for [Claude for Enterprise](https://anthropic.com/contact-sales).

29 </Step>

30 

31 <Step title="Invite team members">

32 Invite team members from the admin dashboard.

33 </Step>

34 

35 <Step title="Install and log in">

36 Team members install Claude Code and log in with their Claude.ai accounts.

37 </Step>

38</Steps>

39 

40### Claude Console authentication

41 

42For organizations that prefer API-based billing, you can set up access through the Claude Console.

43 

44<Steps>

45 <Step title="Create or use a Console account">

46 Use your existing Claude Console account or create a new one.

47 </Step>

48 

49 <Step title="Add users">

50 You can add users through either method:

51 

52 * Bulk invite users from within the Console (Console -> Settings -> Members -> Invite)

53 * [Set up SSO](https://support.claude.com/en/articles/13132885-setting-up-single-sign-on-sso)

54 </Step>

55 

56 <Step title="Assign roles">

57 When inviting users, assign one of:

58 

59 * **Claude Code** role: users can only create Claude Code API keys

60 * **Developer** role: users can create any kind of API key

61 </Step>

62 

63 <Step title="Users complete setup">

64 Each invited user needs to:

65 

66 * Accept the Console invite

67 * [Check system requirements](/en/setup#system-requirements)

68 * [Install Claude Code](/en/setup#installation)

69 * Log in with Console account credentials

70 </Step>

71</Steps>

72 

73### Cloud provider authentication

74 

75For teams using Amazon Bedrock, Google Vertex AI, or Microsoft Azure:

76 

77<Steps>

78 <Step title="Follow provider setup">

79 Follow the [Bedrock docs](/en/amazon-bedrock), [Vertex docs](/en/google-vertex-ai), or [Microsoft Foundry docs](/en/microsoft-foundry).

80 </Step>

81 

82 <Step title="Distribute configuration">

83 Distribute the environment variables and instructions for generating cloud credentials to your users. Read more about how to [manage configuration here](/en/settings).

84 </Step>

85 

86 <Step title="Install Claude Code">

87 Users can [install Claude Code](/en/setup#installation).

88 </Step>

89</Steps>

90 

91## Credential management

92 

93Claude Code securely manages your authentication credentials:

94 

95* **Storage location**: on macOS, API keys, OAuth tokens, and other credentials are stored in the encrypted macOS Keychain.

96* **Supported authentication types**: Claude.ai credentials, Claude API credentials, Azure Auth, Bedrock Auth, and Vertex Auth.

97* **Custom credential scripts**: the [`apiKeyHelper`](/en/settings#available-settings) setting can be configured to run a shell script that returns an API key.

98* **Refresh intervals**: by default, `apiKeyHelper` is called after 5 minutes or on HTTP 401 response. Set `CLAUDE_CODE_API_KEY_HELPER_TTL_MS` environment variable for custom refresh intervals.

99 

100## See also

101 

102* [Permissions](/en/permissions): configure what Claude Code can access and do

103* [Settings](/en/settings): complete configuration reference

104* [Security](/en/security): security safeguards and best practices

139| Branch available | The branch from the web session must have been pushed to the remote. Teleport automatically fetches and checks it out. |139| Branch available | The branch from the web session must have been pushed to the remote. Teleport automatically fetches and checks it out. |

140| Same account | You must be authenticated to the same Claude.ai account used in the web session. |140| Same account | You must be authenticated to the same Claude.ai account used in the web session. |

141 141 

142### Sharing sessions

143 

144To share a session, toggle its visibility according to the account

145types below. After that, share the session link as-is. Recipients who open your

146shared session will see the latest state of the session upon load, but the

147recipient's page will not update in real time.

148 

149#### Sharing from an Enterprise or Teams account

150 

151For Enterprise and Teams accounts, the two visibility options are **Private**

152and **Team**. Team visibility makes the session visible to other members of your

153Claude.ai organization. Repository access verification is enabled by default,

154based on the GitHub account connected to the recipient's account. Your account's

155display name is visible to all recipients with access. [Claude in Slack](/en/slack)

156sessions are automatically shared with Team visibility.

157 

158#### Sharing from a Max or Pro account

159 

160For Max and Pro accounts, the two visibility options are **Private**

161and **Public**. Public visibility makes the session visible to any user logged

162into claude.ai.

163 

164Check your session for sensitive content before sharing. Sessions may contain

165code and credentials from private GitHub repositories. Repository access

166verification is not enabled by default.

167 

168Enable repository access verification and/or withhold your name from your shared

169sessions by going to Settings > Claude Code > Sharing settings.

170 

142## Cloud environment171## Cloud environment

143 172 

144### Default image173### Default image

57| `--no-chrome` | Disable [Chrome browser integration](/en/chrome) for this session | `claude --no-chrome` |57| `--no-chrome` | Disable [Chrome browser integration](/en/chrome) for this session | `claude --no-chrome` |

58| `--no-session-persistence` | Disable session persistence so sessions are not saved to disk and cannot be resumed (print mode only) | `claude -p --no-session-persistence "query"` |58| `--no-session-persistence` | Disable session persistence so sessions are not saved to disk and cannot be resumed (print mode only) | `claude -p --no-session-persistence "query"` |

59| `--output-format` | Specify output format for print mode (options: `text`, `json`, `stream-json`) | `claude -p "query" --output-format json` |59| `--output-format` | Specify output format for print mode (options: `text`, `json`, `stream-json`) | `claude -p "query" --output-format json` |

60| `--permission-mode` | Begin in a specified [permission mode](/en/iam#permission-modes) | `claude --permission-mode plan` |60| `--permission-mode` | Begin in a specified [permission mode](/en/permissions#permission-modes) | `claude --permission-mode plan` |

61| `--permission-prompt-tool` | Specify an MCP tool to handle permission prompts in non-interactive mode | `claude -p --permission-prompt-tool mcp_auth_tool "query"` |61| `--permission-prompt-tool` | Specify an MCP tool to handle permission prompts in non-interactive mode | `claude -p --permission-prompt-tool mcp_auth_tool "query"` |

62| `--plugin-dir` | Load plugins from directories for this session only (repeatable) | `claude --plugin-dir ./my-plugins` |62| `--plugin-dir` | Load plugins from directories for this session only (repeatable) | `claude --plugin-dir ./my-plugins` |

63| `--print`, `-p` | Print response without interactive mode (see [SDK documentation](https://docs.claude.com/en/docs/agent-sdk) for programmatic usage details) | `claude -p "query"` |63| `--print`, `-p` | Print response without interactive mode (see [SDK documentation](https://docs.claude.com/en/docs/agent-sdk) for programmatic usage details) | `claude -p "query"` |

116 116 

117To stop Claude mid-task, click the stop button.117To stop Claude mid-task, click the stop button.

118 118 

119Remote sessions only support **Code** and **Plan** modes because they continue running in the background without requiring your active participation. See [permission modes](/en/iam#permission-modes) for details on how these work internally.119Remote sessions only support **Code** and **Plan** modes because they continue running in the background without requiring your active participation. See [permission modes](/en/permissions#permission-modes) for details on how these work internally.

120 120 

121### Work in parallel with sessions121### Work in parallel with sessions

122 122 

386All hook events receive these fields via stdin as JSON, in addition to event-specific fields documented in each [hook event](#hook-events) section:386All hook events receive these fields via stdin as JSON, in addition to event-specific fields documented in each [hook event](#hook-events) section:

387 387 

388| Field | Description |388| Field | Description |

389| :---------------- | :--------------------------------------------------------------------------------------------------------------------------------- |389| :---------------- | :----------------------------------------------------------------------------------------------------------------------------------------- |

390| `session_id` | Current session identifier |390| `session_id` | Current session identifier |

391| `transcript_path` | Path to conversation JSON |391| `transcript_path` | Path to conversation JSON |

392| `cwd` | Current working directory when the hook is invoked |392| `cwd` | Current working directory when the hook is invoked |

393| `permission_mode` | Current [permission mode](/en/iam#permission-modes): `"default"`, `"plan"`, `"acceptEdits"`, `"dontAsk"`, or `"bypassPermissions"` |393| `permission_mode` | Current [permission mode](/en/permissions#permission-modes): `"default"`, `"plan"`, `"acceptEdits"`, `"dontAsk"`, or `"bypassPermissions"` |

394| `hook_event_name` | Name of the event that fired |394| `hook_event_name` | Name of the event that fired |

395 395 

396For example, a `PreToolUse` hook for a Bash command receives this on stdin:396For example, a `PreToolUse` hook for a Bash command receives this on stdin:

143* **Auto-accept edits**: Claude edits files without asking, still asks for commands143* **Auto-accept edits**: Claude edits files without asking, still asks for commands

144* **Plan mode**: Claude uses read-only tools only, creating a plan you can approve before execution144* **Plan mode**: Claude uses read-only tools only, creating a plan you can approve before execution

145 145 

146You can also allow specific commands in `.claude/settings.json` so Claude doesn't ask each time. This is useful for trusted commands like `npm test` or `git status`. Settings can be scoped from organization-wide policies down to personal preferences. See [Permissions](/en/iam) for details.146You can also allow specific commands in `.claude/settings.json` so Claude doesn't ask each time. This is useful for trusted commands like `npm test` or `git status`. Settings can be scoped from organization-wide policies down to personal preferences. See [Permissions](/en/permissions) for details.

147 147 

148***148***

149 149 

103| `/mcp` | Manage MCP server connections and OAuth authentication |103| `/mcp` | Manage MCP server connections and OAuth authentication |

104| `/memory` | Edit `CLAUDE.md` memory files |104| `/memory` | Edit `CLAUDE.md` memory files |

105| `/model` | Select or change the AI model |105| `/model` | Select or change the AI model |

106| `/permissions` | View or update [permissions](/en/iam#configuring-permissions) |106| `/permissions` | View or update [permissions](/en/permissions#manage-permissions) |

107| `/plan` | Enter plan mode directly from the prompt |107| `/plan` | Enter plan mode directly from the prompt |

108| `/rename <name>` | Rename the current session for easier identification |108| `/rename <name>` | Rename the current session for easier identification |

109| `/resume [session]` | Resume a conversation by ID or name, or open the session picker |109| `/resume [session]` | Resume a conversation by ID or name, or open the session picker |

24 24 

25```json theme={null}25```json theme={null}

26{26{

27 "$schema": "https://platform.claude.com/docs/schemas/claude-code/keybindings.json",27 "$schema": "https://www.schemastore.org/claude-code-keybindings.json",

28 "$docs": "https://code.claude.com/docs/en/keybindings",28 "$docs": "https://code.claude.com/docs/en/keybindings",

29 "bindings": [29 "bindings": [

30 {30 {

71### Common configuration variables71### Common configuration variables

72 72 

73| Environment Variable | Description | Example Values |73| Environment Variable | Description | Example Values |

74| ----------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------ |74| ----------------------------------------------- | ------------------------------------------------------------------------------------------ | ------------------------------------ |

75| `CLAUDE_CODE_ENABLE_TELEMETRY` | Enables telemetry collection (required) | `1` |75| `CLAUDE_CODE_ENABLE_TELEMETRY` | Enables telemetry collection (required) | `1` |

76| `OTEL_METRICS_EXPORTER` | Metrics exporter type(s) (comma-separated) | `console`, `otlp`, `prometheus` |76| `OTEL_METRICS_EXPORTER` | Metrics exporter type(s) (comma-separated) | `console`, `otlp`, `prometheus` |

77| `OTEL_LOGS_EXPORTER` | Logs/events exporter type(s) (comma-separated) | `console`, `otlp` |77| `OTEL_LOGS_EXPORTER` | Logs/events exporter type(s) (comma-separated) | `console`, `otlp` |

87| `OTEL_METRIC_EXPORT_INTERVAL` | Export interval in milliseconds (default: 60000) | `5000`, `60000` |87| `OTEL_METRIC_EXPORT_INTERVAL` | Export interval in milliseconds (default: 60000) | `5000`, `60000` |

88| `OTEL_LOGS_EXPORT_INTERVAL` | Logs export interval in milliseconds (default: 5000) | `1000`, `10000` |88| `OTEL_LOGS_EXPORT_INTERVAL` | Logs export interval in milliseconds (default: 5000) | `1000`, `10000` |

89| `OTEL_LOG_USER_PROMPTS` | Enable logging of user prompt content (default: disabled) | `1` to enable |89| `OTEL_LOG_USER_PROMPTS` | Enable logging of user prompt content (default: disabled) | `1` to enable |

90| `OTEL_LOG_TOOL_DETAILS` | Enable logging of MCP server/tool names and skill names in tool events (default: disabled) | `1` to enable |

90| `CLAUDE_CODE_OTEL_HEADERS_HELPER_DEBOUNCE_MS` | Interval for refreshing dynamic headers (default: 1740000ms / 29 minutes) | `900000` |91| `CLAUDE_CODE_OTEL_HEADERS_HELPER_DEBOUNCE_MS` | Interval for refreshing dynamic headers (default: 1740000ms / 29 minutes) | `900000` |

91 92 

92### Metrics cardinality control93### Metrics cardinality control

334* All [standard attributes](#standard-attributes)335* All [standard attributes](#standard-attributes)

335* `event.name`: `"user_prompt"`336* `event.name`: `"user_prompt"`

336* `event.timestamp`: ISO 8601 timestamp337* `event.timestamp`: ISO 8601 timestamp

338* `event.sequence`: monotonically increasing counter for ordering events within a session

337* `prompt_length`: Length of the prompt339* `prompt_length`: Length of the prompt

338* `prompt`: Prompt content (redacted by default, enable with `OTEL_LOG_USER_PROMPTS=1`)340* `prompt`: Prompt content (redacted by default, enable with `OTEL_LOG_USER_PROMPTS=1`)

339 341 

348* All [standard attributes](#standard-attributes)350* All [standard attributes](#standard-attributes)

349* `event.name`: `"tool_result"`351* `event.name`: `"tool_result"`

350* `event.timestamp`: ISO 8601 timestamp352* `event.timestamp`: ISO 8601 timestamp

353* `event.sequence`: monotonically increasing counter for ordering events within a session

351* `tool_name`: Name of the tool354* `tool_name`: Name of the tool

352* `success`: `"true"` or `"false"`355* `success`: `"true"` or `"false"`

353* `duration_ms`: Execution time in milliseconds356* `duration_ms`: Execution time in milliseconds

356* `source`: Decision source - `"config"`, `"user_permanent"`, `"user_temporary"`, `"user_abort"`, or `"user_reject"`359* `source`: Decision source - `"config"`, `"user_permanent"`, `"user_temporary"`, `"user_abort"`, or `"user_reject"`

357* `tool_parameters`: JSON string containing tool-specific parameters (when available)360* `tool_parameters`: JSON string containing tool-specific parameters (when available)

358 * For Bash tool: includes `bash_command`, `full_command`, `timeout`, `description`, `sandbox`361 * For Bash tool: includes `bash_command`, `full_command`, `timeout`, `description`, `sandbox`

362 * For MCP tools (when `OTEL_LOG_TOOL_DETAILS=1`): includes `mcp_server_name`, `mcp_tool_name`

363 * For Skill tool (when `OTEL_LOG_TOOL_DETAILS=1`): includes `skill_name`

359 364 

360#### API request event365#### API request event

361 366 

368* All [standard attributes](#standard-attributes)373* All [standard attributes](#standard-attributes)

369* `event.name`: `"api_request"`374* `event.name`: `"api_request"`

370* `event.timestamp`: ISO 8601 timestamp375* `event.timestamp`: ISO 8601 timestamp

376* `event.sequence`: monotonically increasing counter for ordering events within a session

371* `model`: Model used (for example, "claude-sonnet-4-5-20250929")377* `model`: Model used (for example, "claude-sonnet-4-5-20250929")

372* `cost_usd`: Estimated cost in USD378* `cost_usd`: Estimated cost in USD

373* `duration_ms`: Request duration in milliseconds379* `duration_ms`: Request duration in milliseconds

387* All [standard attributes](#standard-attributes)393* All [standard attributes](#standard-attributes)

388* `event.name`: `"api_error"`394* `event.name`: `"api_error"`

389* `event.timestamp`: ISO 8601 timestamp395* `event.timestamp`: ISO 8601 timestamp

396* `event.sequence`: monotonically increasing counter for ordering events within a session

390* `model`: Model used (for example, "claude-sonnet-4-5-20250929")397* `model`: Model used (for example, "claude-sonnet-4-5-20250929")

391* `error`: Error message398* `error`: Error message

392* `status_code`: HTTP status code (if applicable)399* `status_code`: HTTP status code (if applicable)

404* All [standard attributes](#standard-attributes)411* All [standard attributes](#standard-attributes)

405* `event.name`: `"tool_decision"`412* `event.name`: `"tool_decision"`

406* `event.timestamp`: ISO 8601 timestamp413* `event.timestamp`: ISO 8601 timestamp

414* `event.sequence`: monotonically increasing counter for ordering events within a session

407* `tool_name`: Name of the tool (for example, "Read", "Edit", "Write", "NotebookEdit")415* `tool_name`: Name of the tool (for example, "Read", "Edit", "Write", "NotebookEdit")

408* `decision`: Either `"accept"` or `"reject"`416* `decision`: Either `"accept"` or `"reject"`

409* `source`: Decision source - `"config"`, `"user_permanent"`, `"user_temporary"`, `"user_abort"`, or `"user_reject"`417* `source`: Decision source - `"config"`, `"user_permanent"`, `"user_temporary"`, `"user_abort"`, or `"user_reject"`

493 501 

494* Telemetry is opt-in and requires explicit configuration502* Telemetry is opt-in and requires explicit configuration

495* Sensitive information like API keys or file contents are never included in metrics or events503* Sensitive information like API keys or file contents are never included in metrics or events

496* User prompt content is redacted by default - only prompt length is recorded. To enable user prompt logging, set `OTEL_LOG_USER_PROMPTS=1`504* User prompt content is redacted by default, only prompt length is recorded. To enable user prompt logging, set `OTEL_LOG_USER_PROMPTS=1`

505* MCP server/tool names and skill names are not logged by default because they can reveal user-specific configurations. To enable, set `OTEL_LOG_TOOL_DETAILS=1`

497 506 

498## Monitoring Claude Code on Amazon Bedrock507## Monitoring Claude Code on Amazon Bedrock

499 508 

10 10 

11Prerequisites:11Prerequisites:

12 12 

13* Meet the [system requirements](/en/setup#system-requirements)

13* A [Claude subscription](https://claude.com/pricing) (Pro, Max, Teams, or Enterprise) or [Claude Console](https://console.anthropic.com/) account14* A [Claude subscription](https://claude.com/pricing) (Pro, Max, Teams, or Enterprise) or [Claude Console](https://console.anthropic.com/) account

14 15 

15**Install Claude Code:**16**Install Claude Code:**

20 <Tab title="Native Install (Recommended)">21 <Tab title="Native Install (Recommended)">

21 **macOS, Linux, WSL:**22 **macOS, Linux, WSL:**

22 23 

23 ```bash theme={null}24 ```bash theme={null} theme={null} theme={null} theme={null} theme={null}

24 curl -fsSL https://claude.ai/install.sh | bash25 curl -fsSL https://claude.ai/install.sh | bash

25 ```26 ```

26 27 

27 **Windows PowerShell:**28 **Windows PowerShell:**

28 29 

29 ```powershell theme={null}30 ```powershell theme={null} theme={null} theme={null} theme={null} theme={null}

30 irm https://claude.ai/install.ps1 | iex31 irm https://claude.ai/install.ps1 | iex

31 ```32 ```

32 33 

33 **Windows CMD:**34 **Windows CMD:**

34 35 

35 ```batch theme={null}36 ```batch theme={null} theme={null} theme={null} theme={null} theme={null}

36 curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd37 curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd

37 ```38 ```

38 39 

42 </Tab>43 </Tab>

43 44 

44 <Tab title="Homebrew">45 <Tab title="Homebrew">

45 ```sh theme={null}46 ```sh theme={null} theme={null} theme={null} theme={null} theme={null}

46 brew install --cask claude-code47 brew install --cask claude-code

47 ```48 ```

48 49 

52 </Tab>53 </Tab>

53 54 

54 <Tab title="WinGet">55 <Tab title="WinGet">

55 ```powershell theme={null}56 ```powershell theme={null} theme={null} theme={null} theme={null} theme={null}

56 winget install Anthropic.ClaudeCode57 winget install Anthropic.ClaudeCode

57 ```58 ```

58 59 

1> ## Documentation Index

2> Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt

3> Use this file to discover all available pages before exploring further.

4 

5# Configure permissions

6 

7> Control what Claude Code can access and do with fine-grained permission rules, modes, and managed policies.

8 

9Claude Code supports fine-grained permissions so that you can specify exactly what the agent is allowed to do and what it cannot. Permission settings can be checked into version control and distributed to all developers in your organization, as well as customized by individual developers.

10 

11## Permission system

12 

13Claude Code uses a tiered permission system to balance power and safety:

14 

15| Tool type | Example | Approval required | "Yes, don't ask again" behavior |

16| :---------------- | :--------------- | :---------------- | :-------------------------------------------- |

17| Read-only | File reads, Grep | No | N/A |

18| Bash commands | Shell execution | Yes | Permanently per project directory and command |

19| File modification | Edit/write files | Yes | Until session end |

20 

21## Manage permissions

22 

23You can view and manage Claude Code's tool permissions with `/permissions`. This UI lists all permission rules and the settings.json file they are sourced from.

24 

25* **Allow** rules let Claude Code use the specified tool without manual approval.

26* **Ask** rules prompt for confirmation whenever Claude Code tries to use the specified tool.

27* **Deny** rules prevent Claude Code from using the specified tool.

28 

29Rules are evaluated in order: **deny -> ask -> allow**. The first matching rule wins, so deny rules always take precedence.

30 

31## Permission modes

32 

33Claude Code supports several permission modes that control how tools are approved. Set the `defaultMode` in your [settings files](/en/settings#settings-files):

34 

35| Mode | Description |

36| :------------------ | :------------------------------------------------------------------------------------ |

37| `default` | Standard behavior: prompts for permission on first use of each tool |

38| `acceptEdits` | Automatically accepts file edit permissions for the session |

39| `plan` | Plan Mode: Claude can analyze but not modify files or execute commands |

40| `dontAsk` | Auto-denies tools unless pre-approved via `/permissions` or `permissions.allow` rules |

41| `bypassPermissions` | Skips all permission prompts (requires safe environment, see warning below) |

42 

43<Warning>

44 `bypassPermissions` mode disables all permission checks. Only use this in isolated environments like containers or VMs where Claude Code cannot cause damage. Administrators can prevent this mode by setting `disableBypassPermissionsMode` to `"disable"` in [managed settings](#managed-settings).

45</Warning>

46 

47## Permission rule syntax

48 

49Permission rules follow the format `Tool` or `Tool(specifier)`.

50 

51### Match all uses of a tool

52 

53To match all uses of a tool, use just the tool name without parentheses:

54 

55| Rule | Effect |

56| :--------- | :----------------------------- |

57| `Bash` | Matches all Bash commands |

58| `WebFetch` | Matches all web fetch requests |

59| `Read` | Matches all file reads |

60 

61`Bash(*)` is equivalent to `Bash` and matches all Bash commands.

62 

63### Use specifiers for fine-grained control

64 

65Add a specifier in parentheses to match specific tool uses:

66 

67| Rule | Effect |

68| :----------------------------- | :------------------------------------------------------- |

69| `Bash(npm run build)` | Matches the exact command `npm run build` |

70| `Read(./.env)` | Matches reading the `.env` file in the current directory |

71| `WebFetch(domain:example.com)` | Matches fetch requests to example.com |

72 

73### Wildcard patterns

74 

75Bash rules support glob patterns with `*`. Wildcards can appear at any position in the command. This configuration allows npm and git commit commands while blocking git push:

76 

77```json theme={null}

78{

79 "permissions": {

80 "allow": [

81 "Bash(npm run *)",

82 "Bash(git commit *)",

83 "Bash(git * main)",

84 "Bash(* --version)",

85 "Bash(* --help *)"

86 ],

87 "deny": [

88 "Bash(git push *)"

89 ]

90 }

91}

92```

93 

94The space before `*` matters: `Bash(ls *)` matches `ls -la` but not `lsof`, while `Bash(ls*)` matches both. The legacy `:*` suffix syntax is equivalent to ` *` but is deprecated.

95 

96## Tool-specific permission rules

97 

98### Bash

99 

100Bash permission rules support wildcard matching with `*`. Wildcards can appear at any position in the command, including at the beginning, middle, or end:

101 

102* `Bash(npm run build)` matches the exact Bash command `npm run build`

103* `Bash(npm run test *)` matches Bash commands starting with `npm run test`

104* `Bash(npm *)` matches any command starting with `npm `

105* `Bash(* install)` matches any command ending with ` install`

106* `Bash(git * main)` matches commands like `git checkout main`, `git merge main`

107 

108When `*` appears at the end with a space before it (like `Bash(ls *)`), it enforces a word boundary, requiring the prefix to be followed by a space or end-of-string. For example, `Bash(ls *)` matches `ls -la` but not `lsof`. In contrast, `Bash(ls*)` without a space matches both `ls -la` and `lsof` because there's no word boundary constraint.

109 

110<Tip>

111 Claude Code is aware of shell operators (like `&&`) so a prefix match rule like `Bash(safe-cmd *)` won't give it permission to run the command `safe-cmd && other-cmd`.

112</Tip>

113 

114<Warning>

115 Bash permission patterns that try to constrain command arguments are fragile. For example, `Bash(curl http://github.com/ *)` intends to restrict curl to GitHub URLs, but won't match variations like:

116 

117 * Options before URL: `curl -X GET http://github.com/...`

118 * Different protocol: `curl https://github.com/...`

119 * Redirects: `curl -L http://bit.ly/xyz` (redirects to github)

120 * Variables: `URL=http://github.com && curl $URL`

121 * Extra spaces: `curl http://github.com`

122 

123 For more reliable URL filtering, consider:

124 

125 * **Restrict Bash network tools**: use deny rules to block `curl`, `wget`, and similar commands, then use the WebFetch tool with `WebFetch(domain:github.com)` permission for allowed domains

126 * **Use PreToolUse hooks**: implement a hook that validates URLs in Bash commands and blocks disallowed domains

127 * Instructing Claude Code about your allowed curl patterns via CLAUDE.md

128 

129 Note that using WebFetch alone does not prevent network access. If Bash is allowed, Claude can still use `curl`, `wget`, or other tools to reach any URL.

130</Warning>

131 

132### Read and Edit

133 

134`Edit` rules apply to all built-in tools that edit files. Claude makes a best-effort attempt to apply `Read` rules to all built-in tools that read files like Grep and Glob.

135 

136Read and Edit rules both follow the [gitignore](https://git-scm.com/docs/gitignore) specification with four distinct pattern types:

137 

138| Pattern | Meaning | Example | Matches |

139| ------------------ | -------------------------------------- | -------------------------------- | ---------------------------------- |

140| `//path` | **Absolute** path from filesystem root | `Read(//Users/alice/secrets/**)` | `/Users/alice/secrets/**` |

141| `~/path` | Path from **home** directory | `Read(~/Documents/*.pdf)` | `/Users/alice/Documents/*.pdf` |

142| `/path` | Path **relative to settings file** | `Edit(/src/**/*.ts)` | `<settings file path>/src/**/*.ts` |

143| `path` or `./path` | Path **relative to current directory** | `Read(*.env)` | `<cwd>/*.env` |

144 

145<Warning>

146 A pattern like `/Users/alice/file` is NOT an absolute path. It's relative to your settings file. Use `//Users/alice/file` for absolute paths.

147</Warning>

148 

149Examples:

150 

151* `Edit(/docs/**)`: edits in `<project>/docs/` (NOT `/docs/`)

152* `Read(~/.zshrc)`: reads your home directory's `.zshrc`

153* `Edit(//tmp/scratch.txt)`: edits the absolute path `/tmp/scratch.txt`

154* `Read(src/**)`: reads from `<current-directory>/src/`

155 

156<Note>

157 In gitignore patterns, `*` matches files in a single directory while `**` matches recursively across directories. To allow all file access, use just the tool name without parentheses: `Read`, `Edit`, or `Write`.

158</Note>

159 

160### WebFetch

161 

162* `WebFetch(domain:example.com)` matches fetch requests to example.com

163 

164### MCP

165 

166* `mcp__puppeteer` matches any tool provided by the `puppeteer` server (name configured in Claude Code)

167* `mcp__puppeteer__*` wildcard syntax that also matches all tools from the `puppeteer` server

168* `mcp__puppeteer__puppeteer_navigate` matches the `puppeteer_navigate` tool provided by the `puppeteer` server

169 

170### Task (subagents)

171 

172Use `Task(AgentName)` rules to control which [subagents](/en/sub-agents) Claude can use:

173 

174* `Task(Explore)` matches the Explore subagent

175* `Task(Plan)` matches the Plan subagent

176* `Task(Verify)` matches the Verify subagent

177 

178Add these rules to the `deny` array in your settings or use the `--disallowedTools` CLI flag to disable specific agents. To disable the Explore agent:

179 

180```json theme={null}

181{

182 "permissions": {

183 "deny": ["Task(Explore)"]

184 }

185}

186```

187 

188## Extend permissions with hooks

189 

190[Claude Code hooks](/en/hooks-guide) provide a way to register custom shell commands to perform permission evaluation at runtime. When Claude Code makes a tool call, PreToolUse hooks run before the permission system, and the hook output can determine whether to approve or deny the tool call in place of the permission system.

191 

192## Working directories

193 

194By default, Claude has access to files in the directory where it was launched. You can extend this access:

195 

196* **During startup**: use `--add-dir <path>` CLI argument

197* **During session**: use `/add-dir` command

198* **Persistent configuration**: add to `additionalDirectories` in [settings files](/en/settings#settings-files)

199 

200Files in additional directories follow the same permission rules as the original working directory: they become readable without prompts, and file editing permissions follow the current permission mode.

201 

202## How permissions interact with sandboxing

203 

204Permissions and [sandboxing](/en/sandboxing) are complementary security layers:

205 

206* **Permissions** control which tools Claude Code can use and which files or domains it can access. They apply to all tools (Bash, Read, Edit, WebFetch, MCP, and others).

207* **Sandboxing** provides OS-level enforcement that restricts the Bash tool's filesystem and network access. It applies only to Bash commands and their child processes.

208 

209Use both for defense-in-depth:

210 

211* Permission deny rules block Claude from even attempting to access restricted resources

212* Sandbox restrictions prevent Bash commands from reaching resources outside defined boundaries, even if a prompt injection bypasses Claude's decision-making

213* Filesystem restrictions in the sandbox use Read and Edit deny rules, not separate sandbox configuration

214* Network restrictions combine WebFetch permission rules with the sandbox's `allowedDomains` list

215 

216## Managed settings

217 

218For organizations that need centralized control over Claude Code configuration, administrators can deploy `managed-settings.json` files to system directories. These policy files follow the same format as regular settings files and cannot be overridden by user or project settings.

219 

220**Managed settings file locations**:

221 

222* **macOS**: `/Library/Application Support/ClaudeCode/managed-settings.json`

223* **Linux and WSL**: `/etc/claude-code/managed-settings.json`

224* **Windows**: `C:\Program Files\ClaudeCode\managed-settings.json`

225 

226<Note>

227 These are system-wide paths (not user home directories like `~/Library/...`) that require administrator privileges. They are designed to be deployed by IT administrators.

228</Note>

229 

230### Managed-only settings

231 

232Some settings are only effective in managed settings:

233 

234| Setting | Description |

235| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------- |

236| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode and the `--dangerously-skip-permissions` flag |

237| `allowManagedPermissionRulesOnly` | When `true`, prevents user and project settings from defining `allow`, `ask`, or `deny` permission rules. Only rules in managed settings apply |

238| `allowManagedHooksOnly` | When `true`, prevents loading of user, project, and plugin hooks. Only managed hooks and SDK hooks are allowed |

239| `strictKnownMarketplaces` | Controls which plugin marketplaces users can add. See [managed marketplace restrictions](/en/plugin-marketplaces#managed-marketplace-restrictions) |

240 

241## Settings precedence

242 

243Permission rules follow the same [settings precedence](/en/settings#settings-precedence) as all other Claude Code settings: managed settings have the highest precedence, followed by command line arguments, local project, shared project, and user settings.

244 

245If a permission is allowed in user settings but denied in project settings, the project setting takes precedence and the permission is blocked.

246 

247## Example configurations

248 

249This [repository](https://github.com/anthropics/claude-code/tree/main/examples/settings) includes starter settings configurations for common deployment scenarios. Use these as starting points and adjust them to fit your needs.

250 

251## See also

252 

253* [Settings](/en/settings): complete configuration reference including the permission settings table

254* [Sandboxing](/en/sandboxing): OS-level filesystem and network isolation for Bash commands

255* [Authentication](/en/authentication): set up user access to Claude Code

256* [Security](/en/security): security safeguards and best practices

257* [Hooks](/en/hooks-guide): automate workflows and extend permission evaluation

104You'll see the Claude Code welcome screen with your session information, recent conversations, and latest updates. Type `/help` for available commands or `/resume` to continue a previous conversation.104You'll see the Claude Code welcome screen with your session information, recent conversations, and latest updates. Type `/help` for available commands or `/resume` to continue a previous conversation.

105 105 

106<Tip>106<Tip>

107 After logging in (Step 2), your credentials are stored on your system. Learn more in [Credential Management](/en/iam#credential-management).107 After logging in (Step 2), your credentials are stored on your system. Learn more in [Credential Management](/en/authentication#credential-management).

108</Tip>108</Tip>

109 109 

110## Step 4: Ask your first question110## Step 4: Ask your first question

137 137 

138* Cannot modify critical config files such as `~/.bashrc`138* Cannot modify critical config files such as `~/.bashrc`

139* Cannot modify system-level files in `/bin/`139* Cannot modify system-level files in `/bin/`

140* Cannot read files that are denied in your [Claude permission settings](/en/iam#configuring-permissions)140* Cannot read files that are denied in your [Claude permission settings](/en/permissions#manage-permissions)

141 141 

142**Network protection:**142**Network protection:**

143 143 

184* Filesystem Permission Escalation: Overly broad filesystem write permissions can enable privilege escalation attacks. Allowing writes to directories containing executables in `$PATH`, system configuration directories, or user shell configuration files (`.bashrc`, `.zshrc`) can lead to code execution in different security contexts when other users or system processes access these files.184* Filesystem Permission Escalation: Overly broad filesystem write permissions can enable privilege escalation attacks. Allowing writes to directories containing executables in `$PATH`, system configuration directories, or user shell configuration files (`.bashrc`, `.zshrc`) can lead to code execution in different security contexts when other users or system processes access these files.

185* Linux Sandbox Strength: The Linux implementation provides strong filesystem and network isolation but includes an `enableWeakerNestedSandbox` mode that enables it to work inside of Docker environments without privileged namespaces. This option considerably weakens security and should only be used in cases where additional isolation is otherwise enforced.185* Linux Sandbox Strength: The Linux implementation provides strong filesystem and network isolation but includes an `enableWeakerNestedSandbox` mode that enables it to work inside of Docker environments without privileged namespaces. This option considerably weakens security and should only be used in cases where additional isolation is otherwise enforced.

186 186 

187## How sandboxing relates to permissions

188 

189Sandboxing and [permissions](/en/permissions) are complementary security layers that work together:

190 

191* **Permissions** control which tools Claude Code can use and are evaluated before any tool runs. They apply to all tools: Bash, Read, Edit, WebFetch, MCP, and others.

192* **Sandboxing** provides OS-level enforcement that restricts what Bash commands can access at the filesystem and network level. It applies only to Bash commands and their child processes.

193 

194Filesystem and network restrictions are configured through permission rules, not sandbox settings:

195 

196* Use `Read` and `Edit` deny rules to block access to specific files or directories

197* Use `WebFetch` allow/deny rules to control domain access

198* Use sandbox `allowedDomains` to control which domains Bash commands can reach

199 

200This [repository](https://github.com/anthropics/claude-code/tree/main/examples/settings) includes starter settings configurations for common deployment scenarios, including sandbox-specific examples. Use these as starting points and adjust them to fit your needs.

201 

187## Advanced usage202## Advanced usage

188 203 

189### Custom proxy configuration204### Custom proxy configuration

210 225 

211The sandboxed bash tool works alongside:226The sandboxed bash tool works alongside:

212 227 

213* **IAM policies**: Combine with [permission settings](/en/iam) for defense-in-depth228* **Permission rules**: Combine with [permission settings](/en/permissions) for defense-in-depth

214* **Development containers**: Use with [devcontainers](/en/devcontainer) for additional isolation229* **Development containers**: Use with [devcontainers](/en/devcontainer) for additional isolation

215* **Enterprise policies**: Enforce sandbox configurations through [managed settings](/en/settings#settings-precedence)230* **Enterprise policies**: Enforce sandbox configurations through [managed settings](/en/settings#settings-precedence)

216 231 

241## See also256## See also

242 257 

243* [Security](/en/security) - Comprehensive security features and best practices258* [Security](/en/security) - Comprehensive security features and best practices

244* [IAM](/en/iam) - Permission configuration and access control259* [Permissions](/en/permissions) - Permission configuration and access control

245* [Settings](/en/settings) - Complete configuration reference260* [Settings](/en/settings) - Complete configuration reference

246* [CLI reference](/en/cli-reference) - Command-line options261* [CLI reference](/en/cli-reference) - Command-line options

18 18 

19We designed Claude Code to be transparent and secure. For example, we require approval for bash commands before executing them, giving you direct control. This approach enables users and organizations to configure permissions directly.19We designed Claude Code to be transparent and secure. For example, we require approval for bash commands before executing them, giving you direct control. This approach enables users and organizations to configure permissions directly.

20 20 

21For detailed permission configuration, see [Identity and Access Management](/en/iam).21For detailed permission configuration, see [Permissions](/en/permissions).

22 22 

23### Built-in protections23### Built-in protections

24 24 

42* **Permission system**: Sensitive operations require explicit approval42* **Permission system**: Sensitive operations require explicit approval

43* **Context-aware analysis**: Detects potentially harmful instructions by analyzing the full request43* **Context-aware analysis**: Detects potentially harmful instructions by analyzing the full request

44* **Input sanitization**: Prevents command injection by processing user inputs44* **Input sanitization**: Prevents command injection by processing user inputs

45* **Command blocklist**: Blocks risky commands that fetch arbitrary content from the web like `curl` and `wget` by default. When explicitly allowed, be aware of [permission pattern limitations](/en/iam#tool-specific-permission-rules)45* **Command blocklist**: Blocks risky commands that fetch arbitrary content from the web like `curl` and `wget` by default. When explicitly allowed, be aware of [permission pattern limitations](/en/permissions#tool-specific-permission-rules)

46 46 

47### Privacy safeguards47### Privacy safeguards

48 48 

63* **Command injection detection**: Suspicious bash commands require manual approval even if previously allowlisted63* **Command injection detection**: Suspicious bash commands require manual approval even if previously allowlisted

64* **Fail-closed matching**: Unmatched commands default to requiring manual approval64* **Fail-closed matching**: Unmatched commands default to requiring manual approval

65* **Natural language descriptions**: Complex bash commands include explanations for user understanding65* **Natural language descriptions**: Complex bash commands include explanations for user understanding

66* **Secure credential storage**: API keys and tokens are encrypted. See [Credential Management](/en/iam#credential-management)66* **Secure credential storage**: API keys and tokens are encrypted. See [Credential Management](/en/authentication#credential-management)

67 67 

68<Warning>68<Warning>

69 **Windows WebDAV security risk**: When running Claude Code on Windows, we recommend against enabling WebDAV or allowing Claude Code to access paths such as `\\*` that may contain WebDAV subdirectories. [WebDAV has been deprecated by Microsoft](https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features#:~:text=The%20Webclient%20\(WebDAV\)%20service%20is%20deprecated) due to security risks. Enabling WebDAV may allow Claude Code to trigger network requests to remote hosts, bypassing the permission system.69 **Windows WebDAV security risk**: When running Claude Code on Windows, we recommend against enabling WebDAV or allowing Claude Code to access paths such as `\\*` that may contain WebDAV subdirectories. [WebDAV has been deprecated by Microsoft](https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features#:~:text=The%20Webclient%20\(WebDAV\)%20service%20is%20deprecated) due to security risks. Enabling WebDAV may allow Claude Code to trigger network requests to remote hosts, bypassing the permission system.

117 117 

118### Team security118### Team security

119 119 

120* Use [managed settings](/en/iam#managed-settings) to enforce organizational standards120* Use [managed settings](/en/permissions#managed-settings) to enforce organizational standards

121* Share approved permission configurations through version control121* Share approved permission configurations through version control

122* Train team members on security best practices122* Train team members on security best practices

123* Monitor Claude Code usage through [OpenTelemetry metrics](/en/monitoring-usage)123* Monitor Claude Code usage through [OpenTelemetry metrics](/en/monitoring-usage)

134## Related resources134## Related resources

135 135 

136* [Sandboxing](/en/sandboxing) - Filesystem and network isolation for bash commands136* [Sandboxing](/en/sandboxing) - Filesystem and network isolation for bash commands

137* [Identity and Access Management](/en/iam) - Configure permissions and access controls137* [Permissions](/en/permissions) - Configure permissions and access controls

138* [Monitoring usage](/en/monitoring-usage) - Track and audit Claude Code activity138* [Monitoring usage](/en/monitoring-usage) - Track and audit Claude Code activity

139* [Development containers](/en/devcontainer) - Secure, isolated environments139* [Development containers](/en/devcontainer) - Secure, isolated environments

140* [Anthropic Trust Center](https://trust.anthropic.com) - Security certifications and compliance140* [Anthropic Trust Center](https://trust.anthropic.com) - Security certifications and compliance

93 These are system-wide paths (not user home directories like `~/Library/...`) that require administrator privileges. They are designed to be deployed by IT administrators.93 These are system-wide paths (not user home directories like `~/Library/...`) that require administrator privileges. They are designed to be deployed by IT administrators.

94 </Note>94 </Note>

95 95 

96 See [Managed settings](/en/iam#managed-settings) and [Managed MCP configuration](/en/mcp#managed-mcp-configuration) for details.96 See [Managed settings](/en/permissions#managed-settings) and [Managed MCP configuration](/en/mcp#managed-mcp-configuration) for details.

97 97 

98 <Note>98 <Note>

99 Managed deployments can also restrict **plugin marketplace additions** using99 Managed deployments can also restrict **plugin marketplace additions** using

140`settings.json` supports a number of options:140`settings.json` supports a number of options:

141 141 

142| Key | Description | Example |142| Key | Description | Example |

143| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :---------------------------------------------------------------------- |143| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :---------------------------------------------------------------------- |

144| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |144| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |

145| `cleanupPeriodDays` | Sessions inactive for longer than this period are deleted at startup. Setting to `0` immediately deletes all sessions. (default: 30 days) | `20` |145| `cleanupPeriodDays` | Sessions inactive for longer than this period are deleted at startup. Setting to `0` immediately deletes all sessions. (default: 30 days) | `20` |

146| `companyAnnouncements` | Announcement to display to users at startup. If multiple announcements are provided, they will be cycled through at random. | `["Welcome to Acme Corp! Review our code guidelines at docs.acme.com"]` |146| `companyAnnouncements` | Announcement to display to users at startup. If multiple announcements are provided, they will be cycled through at random. | `["Welcome to Acme Corp! Review our code guidelines at docs.acme.com"]` |

151| `hooks` | Configure custom commands to run at lifecycle events. See [hooks documentation](/en/hooks) for format | See [hooks](/en/hooks) |151| `hooks` | Configure custom commands to run at lifecycle events. See [hooks documentation](/en/hooks) for format | See [hooks](/en/hooks) |

152| `disableAllHooks` | Disable all [hooks](/en/hooks) | `true` |152| `disableAllHooks` | Disable all [hooks](/en/hooks) | `true` |

153| `allowManagedHooksOnly` | (Managed settings only) Prevent loading of user, project, and plugin hooks. Only allows managed hooks and SDK hooks. See [Hook configuration](#hook-configuration) | `true` |153| `allowManagedHooksOnly` | (Managed settings only) Prevent loading of user, project, and plugin hooks. Only allows managed hooks and SDK hooks. See [Hook configuration](#hook-configuration) | `true` |

154| `allowManagedPermissionRulesOnly` | (Managed settings only) Prevent user and project settings from defining `allow`, `ask`, or `deny` permission rules. Only rules in managed settings apply. See [Managed-only settings](/en/permissions#managed-only-settings) | `true` |

154| `model` | Override the default model to use for Claude Code | `"claude-sonnet-4-5-20250929"` |155| `model` | Override the default model to use for Claude Code | `"claude-sonnet-4-5-20250929"` |

155| `otelHeadersHelper` | Script to generate dynamic OpenTelemetry headers. Runs at startup and periodically (see [Dynamic headers](/en/monitoring-usage#dynamic-headers)) | `/bin/generate_otel_headers.sh` |156| `otelHeadersHelper` | Script to generate dynamic OpenTelemetry headers. Runs at startup and periodically (see [Dynamic headers](/en/monitoring-usage#dynamic-headers)) | `/bin/generate_otel_headers.sh` |

156| `statusLine` | Configure a custom status line to display context. See [`statusLine` documentation](/en/statusline) | `{"type": "command", "command": "~/.claude/statusline.sh"}` |157| `statusLine` | Configure a custom status line to display context. See [`statusLine` documentation](/en/statusline) | `{"type": "command", "command": "~/.claude/statusline.sh"}` |

179### Permission settings180### Permission settings

180 181 

181| Keys | Description | Example |182| Keys | Description | Example |

182| :----------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------- |183| :----------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------- |

183| `allow` | Array of permission rules to allow tool use. See [Permission rule syntax](#permission-rule-syntax) below for pattern matching details | `[ "Bash(git diff *)" ]` |184| `allow` | Array of permission rules to allow tool use. See [Permission rule syntax](#permission-rule-syntax) below for pattern matching details | `[ "Bash(git diff *)" ]` |

184| `ask` | Array of permission rules to ask for confirmation upon tool use. See [Permission rule syntax](#permission-rule-syntax) below | `[ "Bash(git push *)" ]` |185| `ask` | Array of permission rules to ask for confirmation upon tool use. See [Permission rule syntax](#permission-rule-syntax) below | `[ "Bash(git push *)" ]` |

185| `deny` | Array of permission rules to deny tool use. Use this to exclude sensitive files from Claude Code access. See [Permission rule syntax](#permission-rule-syntax) and [Bash permission limitations](/en/iam#tool-specific-permission-rules) | `[ "WebFetch", "Bash(curl *)", "Read(./.env)", "Read(./secrets/**)" ]` |186| `deny` | Array of permission rules to deny tool use. Use this to exclude sensitive files from Claude Code access. See [Permission rule syntax](#permission-rule-syntax) and [Bash permission limitations](/en/permissions#tool-specific-permission-rules) | `[ "WebFetch", "Bash(curl *)", "Read(./.env)", "Read(./secrets/**)" ]` |

186| `additionalDirectories` | Additional [working directories](/en/iam#working-directories) that Claude has access to | `[ "../docs/" ]` |187| `additionalDirectories` | Additional [working directories](/en/permissions#working-directories) that Claude has access to | `[ "../docs/" ]` |

187| `defaultMode` | Default [permission mode](/en/iam#permission-modes) when opening Claude Code | `"acceptEdits"` |188| `defaultMode` | Default [permission mode](/en/permissions#permission-modes) when opening Claude Code | `"acceptEdits"` |

188| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. This disables the `--dangerously-skip-permissions` command-line flag. See [managed settings](/en/iam#managed-settings) | `"disable"` |189| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. This disables the `--dangerously-skip-permissions` command-line flag. See [managed settings](/en/permissions#managed-settings) | `"disable"` |

189 190 

190### Permission rule syntax191### Permission rule syntax

191 192 

192Permission rules follow the format `Tool` or `Tool(specifier)`. Understanding the syntax helps you write rules that match exactly what you intend.193Permission rules follow the format `Tool` or `Tool(specifier)`. Rules are evaluated in order: deny rules first, then ask, then allow. The first matching rule wins.

193 194 

194#### Rule evaluation order195Quick examples:

195 

196When multiple rules could match the same tool use, rules are evaluated in this order:

197 

1981. **Deny** rules are checked first

1992. **Ask** rules are checked second

2003. **Allow** rules are checked last

201 

202The first matching rule determines the behavior. This means deny rules always take precedence over allow rules, even if both match the same command.

203 

204#### Matching all uses of a tool

205 

206To match all uses of a tool, use just the tool name without parentheses:

207 196 

208| Rule | Effect |197| Rule | Effect |

209| :--------- | :--------------------------------- |198| :----------------------------- | :--------------------------------------- |

210| `Bash` | Matches **all** Bash commands |199| `Bash` | Matches all Bash commands |

211| `WebFetch` | Matches **all** web fetch requests |200| `Bash(npm run *)` | Matches commands starting with `npm run` |

212| `Read` | Matches **all** file reads |201| `Read(./.env)` | Matches reading the `.env` file |

213 

214`Bash(*)` is equivalent to `Bash` and matches all Bash commands. Both syntaxes can be used interchangeably.

215 

216#### Using specifiers for fine-grained control

217 

218Add a specifier in parentheses to match specific tool uses:

219 

220| Rule | Effect |

221| :----------------------------- | :------------------------------------------------------- |

222| `Bash(npm run build)` | Matches the exact command `npm run build` |

223| `Read(./.env)` | Matches reading the `.env` file in the current directory |

224| `WebFetch(domain:example.com)` | Matches fetch requests to example.com |202| `WebFetch(domain:example.com)` | Matches fetch requests to example.com |

225 203 

226#### Wildcard patterns204For the complete rule syntax reference, including wildcard behavior, tool-specific patterns for Read, Edit, WebFetch, MCP, and Task rules, and security limitations of Bash patterns, see [Permission rule syntax](/en/permissions#permission-rule-syntax).

227 

228Bash rules support glob patterns with `*`. Wildcards can appear at any position in the command, including at the beginning, middle, or end. The following configuration allows npm and git commit commands while blocking git push:

229 

230```json theme={null}

231{

232 "permissions": {

233 "allow": [

234 "Bash(npm run *)",

235 "Bash(git commit *)",

236 "Bash(git * main)",

237 "Bash(* --version)",

238 "Bash(* --help *)"

239 ],

240 "deny": [

241 "Bash(git push *)"

242 ]

243 }

244}

245```

246 

247The space before `*` matters: `Bash(ls *)` matches `ls -la` but not `lsof`, while `Bash(ls*)` matches both. The legacy `:*` suffix syntax (e.g., `Bash(npm run:*)`) is equivalent to ` *` but is deprecated.

248 

249<Warning>

250 Bash permission patterns that try to constrain command arguments are fragile. For example, `Bash(curl http://github.com/ *)` intends to restrict curl to GitHub URLs, but won't match `curl -X GET http://github.com/...` (flags before URL), `curl https://github.com/...` (different protocol), or commands using shell variables. Do not rely on argument-constraining patterns as a security boundary. See [Bash permission limitations](/en/iam#tool-specific-permission-rules) for alternatives.

251</Warning>

252 

253For detailed information about tool-specific permission patterns—including Read, Edit, WebFetch, MCP, Task rules, and Bash permission limitations—see [Tool-specific permission rules](/en/iam#tool-specific-permission-rules).

254 205 

255### Sandbox settings206### Sandbox settings

256 207 

550 501 

551#### `strictKnownMarketplaces`502#### `strictKnownMarketplaces`

552 503 

553**Managed settings only**: Controls which plugin marketplaces users are allowed to add. This setting can only be configured in [`managed-settings.json`](/en/iam#managed-settings) and provides administrators with strict control over marketplace sources.504**Managed settings only**: Controls which plugin marketplaces users are allowed to add. This setting can only be configured in [`managed-settings.json`](/en/permissions#managed-settings) and provides administrators with strict control over marketplace sources.

554 505 

555**Managed settings file locations**:506**Managed settings file locations**:

556 507 

896| **Write** | Creates or overwrites files | Yes |847| **Write** | Creates or overwrites files | Yes |

897| **LSP** | Code intelligence via language servers. Reports type errors and warnings automatically after file edits. Also supports navigation operations: jump to definitions, find references, get type info, list symbols, find implementations, trace call hierarchies. Requires a [code intelligence plugin](/en/discover-plugins#code-intelligence) and its language server binary | No |848| **LSP** | Code intelligence via language servers. Reports type errors and warnings automatically after file edits. Also supports navigation operations: jump to definitions, find references, get type info, list symbols, find implementations, trace call hierarchies. Requires a [code intelligence plugin](/en/discover-plugins#code-intelligence) and its language server binary | No |

898 849 

899Permission rules can be configured using `/allowed-tools` or in [permission settings](/en/settings#available-settings). Also see [Tool-specific permission rules](/en/iam#tool-specific-permission-rules).850Permission rules can be configured using `/allowed-tools` or in [permission settings](/en/settings#available-settings). Also see [Tool-specific permission rules](/en/permissions#tool-specific-permission-rules).

900 851 

901### Bash tool behavior852### Bash tool behavior

902 853 

971 922 

972## See also923## See also

973 924 

974* [Identity and Access Management](/en/iam#configuring-permissions) - Permission system overview and how allow/ask/deny rules interact925* [Permissions](/en/permissions): permission system, rule syntax, tool-specific patterns, and managed policies

975* [Tool-specific permission rules](/en/iam#tool-specific-permission-rules) - Detailed patterns for Bash, Read, Edit, WebFetch, MCP, and Task tools, including security limitations926* [Authentication](/en/authentication): set up user access to Claude Code

976* [Managed settings](/en/iam#managed-settings) - Managed policy configuration for organizations927* [Troubleshooting](/en/troubleshooting): solutions for common configuration issues

977* [Troubleshooting](/en/troubleshooting) - Solutions for common configuration issues

8 8 

9## System requirements9## System requirements

10 10 

11* **Operating Systems**: macOS 13.0+, Ubuntu 20.04+/Debian 10+, or Windows 10 1809+ / Windows Server 2019+ (with WSL 1, WSL 2, or Git for Windows)11* **Operating System**:

12 * macOS 13.0+

13 * Windows 10 1809+ or Windows Server 2019+ ([see setup notes](#platform-specific-setup))

14 * Ubuntu 20.04+

15 * Debian 10+

16 * Alpine Linux 3.19+ ([additional dependencies required](#platform-specific-setup))

12* **Hardware**: 4 GB+ RAM17* **Hardware**: 4 GB+ RAM

13* **Network**: Internet connection required (see [network configuration](/en/network-config#network-access-requirements))18* **Network**: Internet connection required (see [network configuration](/en/network-config#network-access-requirements))

14* **Shell**: Works best in Bash or Zsh19* **Shell**: Works best in Bash or Zsh

27 <Tab title="Native Install (Recommended)">32 <Tab title="Native Install (Recommended)">

28 **macOS, Linux, WSL:**33 **macOS, Linux, WSL:**

29 34 

30 ```bash theme={null}35 ```bash theme={null} theme={null} theme={null} theme={null} theme={null}

31 curl -fsSL https://claude.ai/install.sh | bash36 curl -fsSL https://claude.ai/install.sh | bash

32 ```37 ```

33 38 

34 **Windows PowerShell:**39 **Windows PowerShell:**

35 40 

36 ```powershell theme={null}41 ```powershell theme={null} theme={null} theme={null} theme={null} theme={null}

37 irm https://claude.ai/install.ps1 | iex42 irm https://claude.ai/install.ps1 | iex

38 ```43 ```

39 44 

40 **Windows CMD:**45 **Windows CMD:**

41 46 

42 ```batch theme={null}47 ```batch theme={null} theme={null} theme={null} theme={null} theme={null}

43 curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd48 curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd

44 ```49 ```

45 50 

49 </Tab>54 </Tab>

50 55 

51 <Tab title="Homebrew">56 <Tab title="Homebrew">

52 ```sh theme={null}57 ```sh theme={null} theme={null} theme={null} theme={null} theme={null}

53 brew install --cask claude-code58 brew install --cask claude-code

54 ```59 ```

55 60 

59 </Tab>64 </Tab>

60 65 

61 <Tab title="WinGet">66 <Tab title="WinGet">

62 ```powershell theme={null}67 ```powershell theme={null} theme={null} theme={null} theme={null} theme={null}

63 winget install Anthropic.ClaudeCode68 winget install Anthropic.ClaudeCode

64 ```69 ```

65 70 

82 Run `claude doctor` after installation to check your installation type and version.87 Run `claude doctor` after installation to check your installation type and version.

83</Tip>88</Tip>

84 89 

85<Note>90### Platform-specific setup

86 **Alpine Linux and other musl/uClibc-based distributions**: The native installer requires `libgcc`, `libstdc++`, and `ripgrep`. For Alpine: `apk add libgcc libstdc++ ripgrep`. Set `USE_BUILTIN_RIPGREP=0`.91 

87</Note>92**Windows**: Run Claude Code natively (requires [Git Bash](https://git-scm.com/downloads/win)) or inside WSL. Both WSL 1 and WSL 2 are supported, but WSL 1 has limited support and does not support features like Bash tool sandboxing.

93 

94**Alpine Linux and other musl/uClibc-based distributions**:

95 

96The native installer on Alpine and other musl/uClibc-based distributions requires `libgcc`, `libstdc++`, and `ripgrep`. Install these using your distribution's package manager, then set `USE_BUILTIN_RIPGREP=0`.

97 

98On Alpine:

99 

100```bash theme={null}

101apk add libgcc libstdc++ ripgrep

102```

88 103 

89### Authentication104### Authentication

90 105 

238}253}

239```254```

240 255 

241For enterprise deployments, you can enforce a consistent release channel across your organization using [managed settings](/en/iam#managed-settings).256For enterprise deployments, you can enforce a consistent release channel across your organization using [managed settings](/en/permissions#managed-settings).

242 257 

243### Disable auto-updates258### Disable auto-updates

244 259 

77Where you store a skill determines who can use it:77Where you store a skill determines who can use it:

78 78 

79| Location | Path | Applies to |79| Location | Path | Applies to |

80| :--------- | :----------------------------------------------- | :----------------------------- |80| :--------- | :------------------------------------------------------- | :----------------------------- |

81| Enterprise | See [managed settings](/en/iam#managed-settings) | All users in your organization |81| Enterprise | See [managed settings](/en/permissions#managed-settings) | All users in your organization |

82| Personal | `~/.claude/skills/<skill-name>/SKILL.md` | All your projects |82| Personal | `~/.claude/skills/<skill-name>/SKILL.md` | All your projects |

83| Project | `.claude/skills/<skill-name>/SKILL.md` | This project only |83| Project | `.claude/skills/<skill-name>/SKILL.md` | This project only |

84| Plugin | `<plugin>/skills/<skill-name>/SKILL.md` | Where plugin is enabled |84| Plugin | `<plugin>/skills/<skill-name>/SKILL.md` | Where plugin is enabled |

409 409 

410### Restrict Claude's skill access410### Restrict Claude's skill access

411 411 

412By default, Claude can invoke any skill that doesn't have `disable-model-invocation: true` set. Skills that define `allowed-tools` grant Claude access to those tools without per-use approval when the skill is active. Your [permission settings](/en/iam) still govern baseline approval behavior for all other tools. Built-in commands like `/compact` and `/init` are not available through the Skill tool.412By default, Claude can invoke any skill that doesn't have `disable-model-invocation: true` set. Skills that define `allowed-tools` grant Claude access to those tools without per-use approval when the skill is active. Your [permission settings](/en/permissions) still govern baseline approval behavior for all other tools. Built-in commands like `/compact` and `/init` are not available through the Skill tool.

413 413 

414Three ways to control which skills Claude can invoke:414Three ways to control which skills Claude can invoke:

415 415 

420Skill420Skill

421```421```

422 422 

423**Allow or deny specific skills** using [permission rules](/en/iam):423**Allow or deny specific skills** using [permission rules](/en/permissions):

424 424 

425```425```

426# Allow only specific skills426# Allow only specific skills

445 445 

446* **Project skills**: Commit `.claude/skills/` to version control446* **Project skills**: Commit `.claude/skills/` to version control

447* **Plugins**: Create a `skills/` directory in your [plugin](/en/plugins)447* **Plugins**: Create a `skills/` directory in your [plugin](/en/plugins)

448* **Managed**: Deploy organization-wide through [managed settings](/en/iam#managed-settings)448* **Managed**: Deploy organization-wide through [managed settings](/en/permissions#managed-settings)

449 449 

450### Generate visual output450### Generate visual output

451 451 

667* **[Hooks](/en/hooks)**: automate workflows around tool events667* **[Hooks](/en/hooks)**: automate workflows around tool events

668* **[Memory](/en/memory)**: manage CLAUDE.md files for persistent context668* **[Memory](/en/memory)**: manage CLAUDE.md files for persistent context

669* **[Interactive mode](/en/interactive-mode#built-in-commands)**: built-in commands and shortcuts669* **[Interactive mode](/en/interactive-mode#built-in-commands)**: built-in commands and shortcuts

670* **[Permissions](/en/iam)**: control tool and skill access670* **[Permissions](/en/permissions)**: control tool and skill access

137 137 

138**On the web**: The complete Claude Code session with full conversation history, all code changes, file operations, and the ability to continue the session or create pull requests.138**On the web**: The complete Claude Code session with full conversation history, all code changes, file operations, and the ability to continue the session or create pull requests.

139 139 

140For Enterprise and Teams accounts, sessions created from Claude in Slack are

141automatically visible to the organization. See [Claude Code on the Web sharing](/en/claude-code-on-the-web#sharing-sessions)

142for more details.

143 

140## Best practices144## Best practices

141 145 

142### Writing effective requests146### Writing effective requests

336claude --disallowedTools "Task(Explore)"336claude --disallowedTools "Task(Explore)"

337```337```

338 338 

339See [IAM documentation](/en/iam#tool-specific-permission-rules) for more details on permission rules.339See [Permissions documentation](/en/permissions#tool-specific-permission-rules) for more details on permission rules.

340 340 

341### Define hooks for subagents341### Define hooks for subagents

342 342 

109 109 

110Select a deployment option to view setup instructions:110Select a deployment option to view setup instructions:

111 111 

112* [Claude for Teams or Enterprise](/en/iam#claude-for-teams-or-enterprise-recommended)112* [Claude for Teams or Enterprise](/en/authentication#claude-for-teams-or-enterprise)

113* [Anthropic Console](/en/iam#claude-console-authentication)113* [Anthropic Console](/en/authentication#claude-console-authentication)

114* [Amazon Bedrock](/en/amazon-bedrock)114* [Amazon Bedrock](/en/amazon-bedrock)

115* [Google Vertex AI](/en/google-vertex-ai)115* [Google Vertex AI](/en/google-vertex-ai)

116* [Microsoft Foundry](/en/microsoft-foundry)116* [Microsoft Foundry](/en/microsoft-foundry)

167### Repeated permission prompts167### Repeated permission prompts

168 168 

169If you find yourself repeatedly approving the same commands, you can allow specific tools169If you find yourself repeatedly approving the same commands, you can allow specific tools

170to run without approval using the `/permissions` command. See [Permissions docs](/en/iam#configuring-permissions).170to run without approval using the `/permissions` command. See [Permissions docs](/en/permissions#manage-permissions).

171 171 

172### Authentication issues172### Authentication issues

173 173