Skip to content
Book a demo

Manage permissions

Permissions control what an agent is allowed to do inside its sandbox: read files, run bash commands, make web requests, and more. You set permissions at the project level and can override them per agent version.

How permissions work

A permission config is either a single action ("allow", "deny", "ask") or an object with granular keys. Agent-level permissions override project-level permissions. An explicit deny always wins over allow.

The available permission keys are:

KeyControls
readRead files in the sandbox
editWrite or modify files
globSearch files by pattern
grepSearch file contents
listList directory contents
bashRun shell commands
taskCreate and manage sub-tasks
external_directoryAccess directories outside the project
todowriteWrite to the todo list
questionAsk clarifying questions
webfetchFetch external URLs
websearchSearch the web
codesearchSearch code with semantic search
lspUse language server features
doom_loopAllow the agent to loop without intervention
skillLoad and execute skills

See Permissions for the full concept.

In the UI

In the UI

  1. Open a project and go to Settings → Permissions.

  2. Set the default policy for each capability: Allow, Deny, or Ask.

  3. To override for a specific agent, open the agent’s version settings and adjust the permissions there.

  4. Click Save.

Programmatically

Set project-level permissions

Terminal window
ren projects update prj_def456 \
--permission '{"read": "allow", "edit": "allow", "bash": "ask"}'

Set agent-version-level permissions

Terminal window
ren agents versions create agt_abc123 \
--permission '{"bash": "deny", "webfetch": "deny"}'