Agent Permissions
Configure how the Agent behaves and fine-tune when it should act on its own or ask for your approval.
Agent Permissions let you define how your Agent operates—control its autonomy, choose what tools, models, or MCP servers it can access, and set when it should act independently or ask for approval. You can also fine-tune its natural language behavior and other capabilities.
Model choice
Base model: this model serves as the core engine for your Agentic Development Environment. It drives most interactions and invokes other models as necessary. There's an option in the app to show the model picker as well.
Planning model: responsible for breaking down complex tasks into actionable steps and creating structured execution plans.

Permissions
You can control how much autonomy the Agent has when performing different types of actions under Settings > AI > Agents > Permissions
. There are four permission types:
Apply code diffs
Read files
Create plans
Execute commands

Each permission has three levels of autonomy:
Always ask
Agent will request explicit user approval before taking any action. Choose this for sensitive actions.
Always allow
Agent will perform the action without ever requesting explicit conformation. Use this for tasks you fully trust the Agent to handle on its own.
Agent Decides
Agent will act autonomously when it's confident, but prompt for approval when uncertain. This option balances speed with control, allowing the Agent to go ahead with common workflows while keeping you in the loop for more complex or risky steps.
Note:
Command allowlist
The Warp Agent lets you define an allowlist of commands that run automatically without confirmation. It’s empty by default, but users often add read-only commands such as:
which .*
- Find executable locationsls(\s.*)?
- List directory contentsgrep(\s.*)?
- Search file contentsfind .*
- Search for filesecho(\s.*)?
- Print text output
You can add your own regular expressions to this list in Settings > AI > Agents > Command allowlist
. Commands in the allowlist will always auto-execute, even if they are not read-only operations.
Command denylist
For safety, the Agent always prompts for confirmation before executing potentially risky commands. The default denylist includes several examples, such as:
wget(\s.*)?
- Network downloadscurl(\s.*)?
- Network requestsrm(\s.*)?
- File deletioneval(\s.*)?
- Shell code execution
The denylist takes precedence over both the allowlist and Agent decides
. If a command matches the denylist, user permission will always be required, regardless of other settings. You can add your own regular expressions to this list in Settings > AI > Agents > Command denylist
.
Run until completion
During an Agent interaction, you can give the Agent full autonomy for the current task. When auto-approve is on, every suggested command runs immediately until the task finishes, or you stop it with Ctrl + C
.
Auto-approve all Agent actions with: CMD + SHIFT + I

MCP permissions
MCP servers let you extend the Agent with custom tools and data sources using standardized, plugin-like modules.
In this settings menu, you can configure which MCP servers the Agent is allowed to call:
Use the MCP allowlist to give the Agent permission to call specific servers without asking.
Use the MCP denylist to require approval before calling certain servers, even if they’re also in the allowlist.
Or set the Agent to “decide” — it will act autonomously when confident, and ask for confirmation when uncertain.

To learn how to build and configure your own MCP server, check out the MCP feature docs.
Last updated
Was this helpful?