Skip to main content
The permission system controls which actions the agent can perform without asking for your approval. You can pre-approve safe actions, block dangerous ones, and always prompt for sensitive operations.

Default Permission Behavior

Devin CLI uses a tiered permission system to balance power and safety. The default behavior depends on the current mode: Each cell shows whether that tool runs automatically (Auto, no prompt) or waits for your approval (Prompt) in that mode: In Normal mode (the default), read-only operations are auto-approved while writes and shell commands require your explicit approval. Each time you approve an action, you can choose to allow it once, for the session, or permanently for the project. In Accept Edits mode, file edits within the workspace are auto-approved, but shell commands and writes outside the workspace still prompt. In Bypass mode, all tool calls are auto-approved without prompting. In Autonomous mode, shell commands and network fetches auto-approve because the OS-level sandbox enforces what they can touch. Direct file edits via the edit/write tools still prompt, because those tools operate outside the sandbox. Autonomous is only available when the OS-level sandbox is active.
Bypass and Autonomous modes do not override organization-level permissions. Admin-enforced deny and ask rules configured via Team Settings remain active regardless of the user’s permission mode. See Precedence for details.

Autonomous Mode

Autonomous is the permission mode that pairs with the --sandbox flag. Conceptually it is roughly “Accept Edits in the current workspace” plus the ability to run any shell command, with both behaviors contained by the OS-level sandbox. When sandbox is active:
  • It is the only permission mode available. Normal, Accept Edits, and Bypass are hidden in sandbox sessions. Plan mode remains available.
  • Shell commands and fetches auto-approve instead of prompting, because the sandbox enforces what they can read, write, and reach over the network.
  • Direct file edits via the edit and write tools still prompt. These tools run inside the CLI process rather than inside the sandbox, so they cannot be bounded by it. Granting a Write(...) scope at the prompt dynamically expands the sandbox so subsequent shell commands can write there.
  • Scopes granted mid-session dynamically expand the sandbox for subsequent commands.
Use Bypass when you want unrestricted execution without OS-level isolation; use --sandbox (which selects Autonomous) when you want unattended execution with OS-enforced limits on filesystem and network access. See the sandbox configuration reference for details on writable/readable roots and domain filtering, and Team Settings → Sandbox Enforcement for enterprise controls.

How Permissions Work

When the agent calls a tool, the permission system checks your rules in priority order:
  1. Deny rules — Checked first. If matched, the action is blocked immediately.
  2. Ask rules — Checked second. If matched, you’re always prompted (overrides any allow rules).
  3. Allow rules — Checked last. If matched, the action proceeds without prompting.
  4. Default — If no rule matches, you’re prompted for approval.
Because deny is checked before ask, and ask is checked before allow, a deny rule always wins. If the same scope matches both a deny and an ask rule, the deny takes effect.

Configuration

Add permissions to your config file’s permissions section:
On Windows, the user config path is %APPDATA%\devin\config.json (typically C:\Users\<you>\AppData\Roaming\devin\config.json) rather than ~/.config/devin/config.json. See Configuration File for details.

Permission Syntax

There are two types of permission matchers: scope-based (controlling what paths/commands/URLs are accessible) and tool-based (controlling which tools can be used).

Scope-Based Permissions

Read(glob)

Controls file read access. The glob pattern matches file paths.
Directory paths automatically match all files within them.
Controls file write/edit access.
Controls shell command execution. Matches commands that start with the given prefix.
Exec(git) matches “git”, “git status”, “git commit -m ‘msg’” but NOT “gitk” or “github-cli”. The prefix must match as a complete word.
Controls HTTP fetch access using URL patterns.
URL patterns follow the WHATWG URL Pattern standard. The domain: shorthand matches any path on the exact domain.

Tool-Based Permissions

Match by tool name to control entire tools:
Available tool names: read, edit, grep, glob, exec

MCP Tool Permissions

Control access to MCP server tools:

Path Patterns

Glob patterns in Read() and Write() support: Examples:
Use an absolute path prefix (e.g., Read(/**)) when you want to match all files on the system. A bare Read(**) without a leading / is resolved relative to your current working directory, so it only matches files under that directory — not files accessed via absolute paths elsewhere.

Persistence Options

When the agent asks for permission during a session, you can choose how to save your decision:

MCP Server-Level Grants

When prompted for a specific MCP tool (e.g., list_issues on the Figma server), the permission prompt also offers broader server-level options: This lets you quickly grant blanket access to a trusted MCP server without approving each tool individually.

Precedence

When multiple permission sources define rules, they’re merged with this precedence (highest first):
  1. Organization/team settings (if enterprise)
  2. Session-level grants (interactive approvals)
  3. Project local config (.devin/config.local.json)
  4. Project config (.devin/config.json)
  5. User config (~/.config/devin/config.json; %APPDATA%\devin\config.json on Windows)
Organization-level denials cannot be overridden by project or user config. This ensures enterprise policies are enforced.

Examples

Minimal Development Setup

Allow common read-only operations, prompt for everything else:

Full Trust for a Project

Auto-approve most operations within the project:

Locked-Down Enterprise

Restrict to specific safe operations, always prompt for writes:
In this example, writes to .env* are denied outright, all other writes always prompt the user, and only a few read-only commands are auto-approved. Since deny is checked before ask, the .env* denial takes priority over the Write(**) ask rule.