Tool permission

Tool permission is the agent-platform mechanism for granting / denying specific tool calls (read this file, run this command, hit this API) — required guardrail for any production agent with non-trivial side effects in 2026.

Pre-permission agents either trusted everything (dangerous) or required manual approval per call (slow). Modern tool permissioning splits tools by risk: auto-approve safe reads (`ls`, `grep`, file reads), gate destructive actions (`rm`, `git push`, API writes) behind approval, allowlist external API hosts (only call our backend, not arbitrary domains), per-tool cost cap (LLM tool call costs N tokens max). Implementations: Claude Code's settings.json tool ACL, Cursor's command allowlist, MCP's per-server permission scopes, Cline's plan-mode visibility. Production patterns: tighter perms for autonomous background agents, looser for human-in-the-loop interactive sessions, full audit log of all tool calls for forensics.

When to use tool permission

• Production agent deployments.

Common mistakes

• Granting blanket file-system write — single prompt injection wipes data.
• Skipping audit log — hard to forensic on incidents.

FAQ

Related terms

• Tool use (LLM) — Tool use is the umbrella term for any LLM mechanism that lets the model invoke external functions, APIs, or services — function calling, code interpreter, MCP servers, browser actions.
• Agent sandbox — An agent sandbox is the isolated execution environment where an LLM-driven agent runs code, browses, or controls a desktop — the safety boundary that contains prompt-injection blast radius.
• Approval workflow — An approval workflow is the agent pattern where high-impact actions (send email, make purchase, delete data) pause for human approval before executing — the production-safe alternative to fully autonomous agents.

Last updated: 2026-06-01. Raw markdown: https://promtable.com/glossary/tool-permission.md.