Skip to main content
Tool permission callbacks allow you to control which tools Claude can use and modify their inputs before execution. This is essential for building secure applications.

Basic Permission Callback

Create a callback function that returns PermissionResultAllow or PermissionResultDeny:

Allowing Specific Operations

Automatically approve safe, read-only operations:

Denying Dangerous Operations

Block operations that could be harmful:

Modifying Tool Inputs

Redirect operations to safe locations by modifying inputs:

Logging Tool Usage

Track which tools are being used:

Using Permission Callbacks

Configure the callback in ClaudeAgentOptions:

Complete Example

Permission Context

The ToolPermissionContext provides additional information:
You can use this context to make more informed decisions:

Key Takeaways

  • Use can_use_tool parameter in ClaudeAgentOptions to set your callback
  • Return PermissionResultAllow() to allow tool use
  • Return PermissionResultDeny(message="...") to deny tool use
  • Use updated_input to modify tool inputs before execution
  • Set permission_mode="default" to ensure callbacks are invoked
  • Log tool usage for auditing and debugging

Next Steps

Hooks

Advanced customization with hooks

MCP Calculator

Build custom MCP tools