--- title: Permissions description: Control which actions require approval to run. --- By default, OpenCode **allows all operations** without requiring explicit approval. You can configure this using the `permission` option. ```json title="opencode.json" { "$schema": "https://opencode.ai/config.json", "permission": { "edit": "allow", "bash": "ask", "webfetch": "deny" } } ``` This lets you configure granular controls for the `edit`, `bash`, and `webfetch` tools. - `"ask"` — Prompt for approval before running the tool - `"allow"` — Allow all operations without approval - `"deny"` — Disable the tool --- ## Tools Currently, the permissions for the `edit`, `bash`, and `webfetch` tools can be configured through the `permission` option. --- ### edit Use the `permission.edit` key to control whether file editing operations require user approval. ```json title="opencode.json" {4} { "$schema": "https://opencode.ai/config.json", "permission": { "edit": "ask" } } ``` --- ### bash You can use the `permission.bash` key to control whether bash commands as a whole need user approval. ```json title="opencode.json" {4} { "$schema": "https://opencode.ai/config.json", "permission": { "bash": "ask" } } ``` Or, you can target specific commands and set it to `allow`, `ask`, or `deny`. ```json title="opencode.json" { "$schema": "https://opencode.ai/config.json", "permission": { "bash": { "git push": "ask", "git status": "allow", "git diff": "allow", "npm run build": "allow", "ls": "allow", "pwd": "allow" } } } ``` --- #### Wildcards You can also use wildcards to manage permissions for specific bash commands. :::tip You can use wildcards to manage permissions for specific bash commands. ::: For example, **disable all** Terraform commands. ```json title="opencode.json" {5} { "$schema": "https://opencode.ai/config.json", "permission": { "bash": { "terraform *": "deny" } } } ``` You can also use the `*` wildcard to manage permissions for all commands. For example, **deny all commands** except a couple of specific ones. ```json title="opencode.json" {5} { "$schema": "https://opencode.ai/config.json", "permission": { "bash": { "*": "deny", "pwd": "allow", "git status": "ask" } } } ``` Here a specific rule can override the `*` wildcard. --- ##### Glob patterns The wildcard uses simple regex globbing patterns. - `*` matches zero or more of any character - `?` matches exactly one character - All other characters match literally --- ### webfetch Use the `permission.webfetch` key to control whether the LLM can fetch web pages. ```json title="opencode.json" {4} { "$schema": "https://opencode.ai/config.json", "permission": { "webfetch": "ask" } } ``` --- ## Agents You can also configure permissions per agent. Where the agent specific config overrides the global config. [Learn more](/docs/agents#permissions) about agent permissions. ```json title="opencode.json" {3-7,10-14} { "$schema": "https://opencode.ai/config.json", "permission": { "bash": { "git push": "ask" } }, "agent": { "build": { "permission": { "bash": { "git push": "allow" } } } } } ``` For example, here the `build` agent overrides the global `bash` permission to allow `git push` commands. You can also configure permissions for agents in Markdown. ```markdown title="~/.config/opencode/agent/review.md" --- description: Code review without edits mode: subagent permission: edit: deny bash: ask webfetch: deny --- Only analyze code and suggest changes. ```