Skip to content
Security & Permissions Intermediate

Allowlist Specific Tools

Restrict Claude to only specific tools using --allowedTools and --disallowedTools

Command

$ "color:#7C5CFC">claude -p "List and read files" \
    "color:#d97757">--allowedTools "Read,Glob,Grep" \
    "color:#d97757">--disallowedTools "Write,Edit,Bash,WebFetch,WebSearch" \
    "color:#d97757">--output-format json

Response

{
  "result": "Found 12 TypeScript files...",
  "num_turns": 3,
  "permission_denials": []
}

Parsing Code

059669">">// Check which tools were blocked
059669">">if (data.permission_denials.length > 0) {
  059669">">console.warn(059669">'Tools were blocked:', 
    data.permission_denials.map(d => d.tool_name));
}

Gotchas

! CRITICAL: --allowedTools alone does NOT prevent writes — Claude falls back to Bash (echo > file). You MUST also add --disallowedTools
! --disallowedTools always takes priority over --allowedTools

Related Recipes

Read-Only Agent Permission Modes Comparison