What is Auto Mode in Claude Code?
TL;DR: Auto Mode is a new permission mode in Claude Code that eliminates approval prompts. A safety classifier (Sonnet 4.6) analyzes every action before execution and blocks destructive ones. Available for Team plans, Enterprise and API coming soon.
Auto Mode is a permission mode introduced by Anthropic in March 2026 (official announcement, documentation). It lets Claude Code execute actions without asking for your approval, while running every action through a safety classifier that blocks destructive operations.
It's the fifth permission mode in Claude Code, sitting between plan (read-only) and bypassPermissions (no checks at all).
The problem Auto Mode solves
Claude Code asks for your approval by default for every file write and shell command. It's safe, but slow. On a 200-file refactor, you spend more time clicking "Yes" than thinking.
The existing alternative, --dangerously-skip-permissions, disables all checks. Claude executes everything without asking. Fast, but the flag name isn't there for decoration: no protection against destructive actions, prompt injections, or misjudgments.
Auto Mode is the middle ground. Claude acts without interrupting you, but a safety classifier checks every action in the background before it runs.
How does Auto Mode work?
Before each tool call, a separate classifier model (Claude Sonnet 4.6) evaluates the action. The decision order is strict:
1. Your allow/deny rules apply first
2. Read-only actions and file edits in your working directory are auto-approved
3. Everything else goes through the classifier
4. If the classifier blocks, Claude receives the reason and tries an alternative approach
The classifier receives your messages and tool calls as input, but never tool results. A malicious file read by Claude cannot manipulate the classifier directly.
What the classifier blocks by default
The classifier trusts your working directory and configured Git remotes. Everything else is treated as external.
Blocked:
- Downloading and executing code (
curl | bash, scripts from cloned repos) - Sending sensitive data to external endpoints
- Production deployments and migrations
- Mass deletion on cloud storage
- Granting IAM or repo permissions
- Modifying shared infrastructure
- Irreversibly destroying files that existed before the session
- Destructive Git operations (force push, pushing to main)
Allowed:
- Local file operations in your working directory
- Installing dependencies declared in your lock files
- Reading
.envand sending credentials to their matching API - Read-only HTTP requests
- Pushing to the current branch or one Claude created
To see the full default rules:
claude auto-mode defaultsSubagent handling
When Claude spawns a subagent, the classifier evaluates the delegated task before it starts. The subagent inherits the same rules as the parent session. When it finishes, the classifier reviews the subagent's full action history.
What is the cost and latency impact?
Auto Mode has a cost. Each checked action sends a portion of the conversation transcript to the classifier. In practice:
- Read-only actions and local file edits don't trigger the classifier
- Shell commands and network operations go through the classifier
- Each check adds a network round-trip before execution
Token consumption is higher than default mode, especially on long sessions with many shell commands.
The fallback mechanism
If the classifier blocks an action 3 consecutive times or 20 times total in a session, Auto Mode pauses. Claude Code returns to classic mode with prompts for each action. Manually approving an action resets the denial counters.
In non-interactive mode (-p), the session aborts.
Enabling Auto Mode
Prerequisites
- Plan: Team (Enterprise and API coming soon)
- Model: Claude Sonnet 4.6 or Opus 4.6 only
- Admin: must enable Auto Mode in admin settings
CLI
claude --enable-auto-modeThen use Shift+Tab to cycle between modes: default → acceptEdits → plan → auto.
VS Code
Enable "Allow dangerously skip permissions" in the extension settings, then select "Auto" from the mode selector at the bottom of the prompt area.
Desktop
Enable Auto Mode in Settings → Claude Code, then select it from the mode selector next to the send button.
Disabling for an organization
Administrators can block Auto Mode for all users:
{
"disableAutoMode": "disable"
}Permission modes comparison
| default | acceptEdits | plan | auto | bypassPermissions | |
|---|---|---|---|---|---|
| Prompts | Files and commands | Commands only | Files and commands | None (unless fallback) | None |
| Safety checks | Manual review | Command review | Manual review | Automatic classifier | None |
| Tokens | Standard | Standard | Standard | Higher | Standard |
| Use case | Sensitive work | Fast iteration | Exploration | Long-running tasks | Isolated containers |
When to use which mode?
Auto Mode suits long-running tasks where you trust Claude to act within the requested scope: massive refactoring, code migration, batch test generation. You kick off the task and come back for the result.
default remains the right choice for sensitive work: production config changes, deployment scripts, anything touching infrastructure.
acceptEdits is ideal for fast iteration: Claude writes, you review diffs, you only approve shell commands.
plan is for exploration. Claude reads and analyzes, proposes a plan, but doesn't touch anything.
bypassPermissions should never leave an isolated container or disposable VM.
What are Auto Mode's limitations?
Auto Mode is in research preview. A few things to keep in mind:
1. False negatives possible: the classifier may allow risky actions if user intent is ambiguous or Claude lacks context about your environment
2. False positives possible: the classifier may block benign actions, forcing Claude to find workarounds
3. Not available on Haiku, claude-3 models, or third-party providers (Bedrock, Vertex, Foundry)
4. No absolute safety guarantee: Anthropic still recommends using it in isolated environments
Auto Mode doesn't replace vigilance. It reduces interruptions, not risk to zero.
Advanced configuration
Customizing classifier rules
If Auto Mode blocks routine actions for your team, administrators can add trusted repos, buckets, and internal services via the autoMode.environment setting.
Interaction with allow rules
When entering Auto Mode, Claude Code automatically drops allow rules that grant arbitrary code execution: blanket shell access (Bash()), wildcarded interpreters (Bash(python), Bash(node*)), package manager run commands, and any Agent rule. Narrow rules like Bash(npm test) carry over.
Dropped rules are restored when you leave the mode.
Learn more
Auto Mode is just one of Claude Code's modes. Our one-day Claude Code training covers CLAUDE.md files, Plan Mode, subagents, hooks, and custom skill creation.
