权限策略
控制 Agent 和 MCP 工具何时执行。
权限策略控制服务器执行的工具(预构建 Agent 工具集和 MCP 工具集)是自动运行还是等待你的批准。自定义工具由你的应用程序执行并由你控制,因此不受权限策略的约束。
Note
所有 Managed Agents API 请求都需要 managed-agents-2026-04-01 beta header。SDK 会自动设置该 beta header。
权限策略类型
| 策略 | 行为 |
|---|---|
always_allow | 工具自动执行,无需确认。 |
always_ask | 会话暂停并在执行前等待你的批准。参见响应确认请求了解事件流程。 |
为工具集设置策略
Agent 工具集权限
创建 Agent 时,你可以选择使用 default_config.permission_policy 为 agent_toolset_20260401 中的每个工具应用策略:
agent=$(curl -fsSL https://api.anthropic.com/v1/agents \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "anthropic-beta: managed-agents-2026-04-01" \
-H "content-type: application/json" \
-d '{
"name": "Coding Assistant",
"model": "claude-opus-4-7",
"tools": [
{
"type": "agent_toolset_20260401",
"default_config": {
"permission_policy": {"type": "always_ask"}
}
}
]
}')
ant beta:agents create <<'YAML'
name: Coding Assistant
model: claude-opus-4-7
tools:
- type: agent_toolset_20260401
default_config:
permission_policy:
type: always_ask
YAML
agent = client.beta.agents.create(
name="Coding Assistant",
model="claude-opus-4-7",
tools=[
{
"type": "agent_toolset_20260401",
"default_config": {
"permission_policy": {"type": "always_ask"},
},
},
],
)
const agent = await client.beta.agents.create({
name: "Coding Assistant",
model: "claude-opus-4-7",
tools: [
{
type: "agent_toolset_20260401",
default_config: {
permission_policy: { type: "always_ask" }
}
}
]
});
var agent = await client.Beta.Agents.Create(new()
{
Name = "Coding Assistant",
Model = new("claude-opus-4-7"),
Tools =
[
new BetaManagedAgentsAgentToolset20260401Params
{
Type = "agent_toolset_20260401",
DefaultConfig = new()
{
PermissionPolicy = new BetaManagedAgentsAlwaysAskPolicy { Type = "always_ask" },
},
},
],
});
agent, err := client.Beta.Agents.New(ctx, anthropic.BetaAgentNewParams{
Name: "Coding Assistant",
Model: anthropic.BetaManagedAgentsModelConfigParams{
ID: "claude-opus-4-7",
},
Tools: []anthropic.BetaAgentNewParamsToolUnion{{
OfAgentToolset20260401: &anthropic.BetaManagedAgentsAgentToolset20260401Params{
Type: anthropic.BetaManagedAgentsAgentToolset20260401ParamsTypeAgentToolset20260401,
DefaultConfig: anthropic.BetaManagedAgentsAgentToolsetDefaultConfigParams{
PermissionPolicy: anthropic.BetaManagedAgentsAgentToolsetDefaultConfigParamsPermissionPolicyUnion{
OfAlwaysAsk: &anthropic.BetaManagedAgentsAlwaysAskPolicyParam{
Type: anthropic.BetaManagedAgentsAlwaysAskPolicyTypeAlwaysAsk,
},
},
},
},
}},
})
if err != nil {
panic(err)
}
_ = agent
var agent = client.beta().agents().create(
AgentCreateParams.builder()
.name("Coding Assistant")
.model(BetaManagedAgentsModel.CLAUDE_OPUS_4_7)
.addTool(
BetaManagedAgentsAgentToolset20260401Params.builder()
.type(BetaManagedAgentsAgentToolset20260401Params.Type.AGENT_TOOLSET_20260401)
.defaultConfig(
BetaManagedAgentsAgentToolsetDefaultConfigParams.builder()
.permissionPolicy(
BetaManagedAgentsAlwaysAskPolicy.builder()
.type(BetaManagedAgentsAlwaysAskPolicy.Type.ALWAYS_ASK)
.build()
)
.build()
)
.build()
)
.build()
);
$agent = $client->beta->agents->create(
name: 'Coding Assistant',
model: 'claude-opus-4-7',
tools: [
BetaManagedAgentsAgentToolset20260401Params::with(
type: 'agent_toolset_20260401',
defaultConfig: BetaManagedAgentsAgentToolsetDefaultConfigParams::with(
permissionPolicy: BetaManagedAgentsAlwaysAskPolicy::with(type: 'always_ask'),
),
),
],
);
agent = client.beta.agents.create(
name: "Coding Assistant",
model: "claude-opus-4-7",
tools: [
{
type: "agent_toolset_20260401",
default_config: {
permission_policy: {type: "always_ask"}
}
}
]
)
default_config 是可选设置。如果省略,Agent 工具集将使用默认权限策略 always_allow 启用。
MCP 工具集权限
MCP 工具集默认为 always_ask。这确保添加到 MCP 服务器的新工具不会在未经批准的情况下在你的应用程序中执行。要自动批准来自受信任 MCP 服务器的工具,请在 mcp_toolset 条目上设置 default_config.permission_policy。
mcp_server_name 必须与 mcp_servers 数组中引用的 name 匹配。
此示例连接 GitHub MCP 服务器并允许其工具无需确认即可运行:
agent=$(curl -fsSL https://api.anthropic.com/v1/agents \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "anthropic-beta: managed-agents-2026-04-01" \
-H "content-type: application/json" \
-d '{
"name": "Dev Assistant",
"model": "claude-opus-4-7",
"mcp_servers": [
{"type": "url", "name": "github", "url": "https://mcp.example.com/github"}
],
"tools": [
{"type": "agent_toolset_20260401"},
{
"type": "mcp_toolset",
"mcp_server_name": "github",
"default_config": {
"permission_policy": {"type": "always_allow"}
}
}
]
}')
ant beta:agents create <<'YAML'
name: Dev Assistant
model: claude-opus-4-7
mcp_servers:
- type: url
name: github
url: https://mcp.example.com/github
tools:
- type: agent_toolset_20260401
- type: mcp_toolset
mcp_server_name: github
default_config:
permission_policy:
type: always_allow
YAML
agent = client.beta.agents.create(
name="Dev Assistant",
model="claude-opus-4-7",
mcp_servers=[
{"type": "url", "name": "github", "url": "https://mcp.example.com/github"},
],
tools=[
{"type": "agent_toolset_20260401"},
{
"type": "mcp_toolset",
"mcp_server_name": "github",
"default_config": {
"permission_policy": {"type": "always_allow"},
},
},
],
)
const agent = await client.beta.agents.create({
name: "Dev Assistant",
model: "claude-opus-4-7",
mcp_servers: [{ type: "url", name: "github", url: "https://mcp.example.com/github" }],
tools: [
{ type: "agent_toolset_20260401" },
{
type: "mcp_toolset",
mcp_server_name: "github",
default_config: {
permission_policy: { type: "always_allow" }
}
}
]
});
var agent = await client.Beta.Agents.Create(new()
{
Name = "Dev Assistant",
Model = new("claude-opus-4-7"),
McpServers =
[
new() { Type = "url", Name = "github", Url = "https://mcp.example.com/github" },
],
Tools =
[
new BetaManagedAgentsAgentToolset20260401Params
{
Type = "agent_toolset_20260401",
},
new BetaManagedAgentsMcpToolsetParams
{
Type = "mcp_toolset",
McpServerName = "github",
DefaultConfig = new()
{
PermissionPolicy = new BetaManagedAgentsAlwaysAllowPolicy { Type = "always_allow" },
},
},
],
});
agent, err := client.Beta.Agents.New(ctx, anthropic.BetaAgentNewParams{
Name: "Dev Assistant",
Model: anthropic.BetaManagedAgentsModelConfigParams{
ID: "claude-opus-4-7",
},
MCPServers: []anthropic.BetaManagedAgentsURLMCPServerParams{{
Type: anthropic.BetaManagedAgentsURLMCPServerParamsTypeURL,
Name: "github",
URL: "https://mcp.example.com/github",
}},
Tools: []anthropic.BetaAgentNewParamsToolUnion{
{
OfAgentToolset20260401: &anthropic.BetaManagedAgentsAgentToolset20260401Params{
Type: anthropic.BetaManagedAgentsAgentToolset20260401ParamsTypeAgentToolset20260401,
},
},
{
OfMCPToolset: &anthropic.BetaManagedAgentsMCPToolsetParams{
Type: anthropic.BetaManagedAgentsMCPToolsetParamsTypeMCPToolset,
MCPServerName: "github",
DefaultConfig: anthropic.BetaManagedAgentsMCPToolsetDefaultConfigParams{
PermissionPolicy: anthropic.BetaManagedAgentsMCPToolsetDefaultConfigParamsPermissionPolicyUnion{
OfAlwaysAllow: &anthropic.BetaManagedAgentsAlwaysAllowPolicyParam{
Type: anthropic.BetaManagedAgentsAlwaysAllowPolicyTypeAlwaysAllow,
},
},
},
},
},
},
})
if err != nil {
panic(err)
}
_ = agent
var agent = client.beta().agents().create(
AgentCreateParams.builder()
.name("Dev Assistant")
.model(BetaManagedAgentsModel.CLAUDE_OPUS_4_7)
.addMcpServer(
BetaManagedAgentsUrlMcpServerParams.builder()
.type(BetaManagedAgentsUrlMcpServerParams.Type.URL)
.name("github")
.url("https://mcp.example.com/github")
.build()
)
.addTool(
BetaManagedAgentsAgentToolset20260401Params.builder()
.type(BetaManagedAgentsAgentToolset20260401Params.Type.AGENT_TOOLSET_20260401)
.build()
)
.addTool(
BetaManagedAgentsMcpToolsetParams.builder()
.type(BetaManagedAgentsMcpToolsetParams.Type.MCP_TOOLSET)
.mcpServerName("github")
.defaultConfig(
BetaManagedAgentsMcpToolsetDefaultConfigParams.builder()
.permissionPolicy(
BetaManagedAgentsAlwaysAllowPolicy.builder()
.type(BetaManagedAgentsAlwaysAllowPolicy.Type.ALWAYS_ALLOW)
.build()
)
.build()
)
.build()
)
.build()
);
use Anthropic\Beta\Agents\BetaManagedAgentsMCPToolsetDefaultConfigParams;
use Anthropic\Beta\Agents\BetaManagedAgentsMCPToolsetParams;
use Anthropic\Beta\Agents\BetaManagedAgentsURLMCPServerParams;
$agent = $client->beta->agents->create(
name: 'Dev Assistant',
model: 'claude-opus-4-7',
mcpServers: [
BetaManagedAgentsURLMCPServerParams::with(
type: 'url',
name: 'github',
url: 'https://mcp.example.com/github',
),
],
tools: [
BetaManagedAgentsAgentToolset20260401Params::with(
type: 'agent_toolset_20260401',
),
BetaManagedAgentsMCPToolsetParams::with(
type: 'mcp_toolset',
mcpServerName: 'github',
defaultConfig: BetaManagedAgentsMCPToolsetDefaultConfigParams::with(
permissionPolicy: BetaManagedAgentsAlwaysAllowPolicy::with(type: 'always_allow'),
),
),
],
);
agent = client.beta.agents.create(
name: "Dev Assistant",
model: "claude-opus-4-7",
mcp_servers: [
{type: "url", name: "github", url: "https://mcp.example.com/github"}
],
tools: [
{type: "agent_toolset_20260401"},
{
type: "mcp_toolset",
mcp_server_name: "github",
default_config: {
permission_policy: {type: "always_allow"}
}
}
]
)
覆盖单个工具策略
使用 configs 数组覆盖单个工具的默认值。此示例默认允许完整的 Agent 工具集,但在运行任何 bash 命令之前需要确认:
tools='[
{
"type": "agent_toolset_20260401",
"default_config": {
"permission_policy": {"type": "always_allow"}
},
"configs": [
{
"name": "bash",
"permission_policy": {"type": "always_ask"}
}
]
}
]'
tools=$(cat <<'YAML'
- type: agent_toolset_20260401
default_config:
permission_policy:
type: always_allow
configs:
- name: bash
permission_policy:
type: always_ask
YAML
)
tools = [
{
"type": "agent_toolset_20260401",
"default_config": {
"permission_policy": {"type": "always_allow"},
},
"configs": [
{
"name": "bash",
"permission_policy": {"type": "always_ask"},
},
],
},
]
const tools = [
{
type: "agent_toolset_20260401",
default_config: {
permission_policy: { type: "always_allow" }
},
configs: [
{
name: "bash",
permission_policy: { type: "always_ask" }
}
]
}
] satisfies Anthropic.Beta.AgentCreateParams["tools"];
Tool[] tools =
[
new BetaManagedAgentsAgentToolset20260401Params
{
Type = "agent_toolset_20260401",
DefaultConfig = new()
{
PermissionPolicy = new BetaManagedAgentsAlwaysAllowPolicy { Type = "always_allow" },
},
Configs =
[
new()
{
Name = "bash",
PermissionPolicy = new BetaManagedAgentsAlwaysAskPolicy { Type = "always_ask" },
},
],
},
];
tools := []anthropic.BetaAgentNewParamsToolUnion{{
OfAgentToolset20260401: &anthropic.BetaManagedAgentsAgentToolset20260401Params{
Type: anthropic.BetaManagedAgentsAgentToolset20260401ParamsTypeAgentToolset20260401,
DefaultConfig: anthropic.BetaManagedAgentsAgentToolsetDefaultConfigParams{
PermissionPolicy: anthropic.BetaManagedAgentsAgentToolsetDefaultConfigParamsPermissionPolicyUnion{
OfAlwaysAllow: &anthropic.BetaManagedAgentsAlwaysAllowPolicyParam{
Type: anthropic.BetaManagedAgentsAlwaysAllowPolicyTypeAlwaysAllow,
},
},
},
Configs: []anthropic.BetaManagedAgentsAgentToolConfigParams{{
Name: anthropic.BetaManagedAgentsAgentToolConfigParamsNameBash,
PermissionPolicy: anthropic.BetaManagedAgentsAgentToolConfigParamsPermissionPolicyUnion{
OfAlwaysAsk: &anthropic.BetaManagedAgentsAlwaysAskPolicyParam{
Type: anthropic.BetaManagedAgentsAlwaysAskPolicyTypeAlwaysAsk,
},
},
}},
},
}}
var tools = List.of(
AgentCreateParams.Tool.ofAgentToolset20260401(
BetaManagedAgentsAgentToolset20260401Params.builder()
.type(BetaManagedAgentsAgentToolset20260401Params.Type.AGENT_TOOLSET_20260401)
.defaultConfig(
BetaManagedAgentsAgentToolsetDefaultConfigParams.builder()
.permissionPolicy(
BetaManagedAgentsAlwaysAllowPolicy.builder()
.type(BetaManagedAgentsAlwaysAllowPolicy.Type.ALWAYS_ALLOW)
.build()
)
.build()
)
.addConfig(
BetaManagedAgentsAgentToolConfigParams.builder()
.name(BetaManagedAgentsAgentToolConfigParams.Name.BASH)
.permissionPolicy(
BetaManagedAgentsAlwaysAskPolicy.builder()
.type(BetaManagedAgentsAlwaysAskPolicy.Type.ALWAYS_ASK)
.build()
)
.build()
)
.build()
)
);
use Anthropic\Beta\Agents\BetaManagedAgentsAlwaysAskPolicy;
$tools = [
BetaManagedAgentsAgentToolset20260401Params::with(
type: 'agent_toolset_20260401',
defaultConfig: BetaManagedAgentsAgentToolsetDefaultConfigParams::with(
permissionPolicy: BetaManagedAgentsAlwaysAllowPolicy::with(type: 'always_allow'),
),
configs: [
BetaManagedAgentsAgentToolConfigParams::with(
name: 'bash',
permissionPolicy: BetaManagedAgentsAlwaysAskPolicy::with(type: 'always_ask'),
),
],
),
];
tools = [
{
type: "agent_toolset_20260401",
default_config: {
permission_policy: {type: "always_allow"}
},
configs: [
{
name: "bash",
permission_policy: {type: "always_ask"}
}
]
}
]
响应确认请求
当 Agent 调用具有 always_ask 策略的工具时:
- 会话发出
agent.tool_use或agent.mcp_tool_use事件。 - 会话暂停,发出包含
stop_reason: requires_action的session.status_idle事件。阻塞事件 ID 在stop_reason.event_ids数组中。 - 为每个事件发送
user.tool_confirmation事件,在tool_use_id参数中传递事件 ID。将result设置为"allow"或"deny"。使用deny_message解释拒绝原因。 - 一旦所有阻塞事件被解决,会话转换回
running。
在会话事件流指南中了解更多关于事件处理的信息。
# 允许工具执行
curl -fsSL "https://api.anthropic.com/v1/sessions/$SESSION_ID/events" \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "anthropic-beta: managed-agents-2026-04-01" \
-H "content-type: application/json" \
-d '{
"events": [
{
"type": "user.tool_confirmation",
"tool_use_id": "'$AGENT_TOOL_USE_EVENT_ID'",
"result": "allow"
}
]
}'
# 或者拒绝并附带解释
curl -fsSL "https://api.anthropic.com/v1/sessions/$SESSION_ID/events" \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "anthropic-beta: managed-agents-2026-04-01" \
-H "content-type: application/json" \
-d '{
"events": [
{
"type": "user.tool_confirmation",
"tool_use_id": "'$MCP_TOOL_USE_EVENT_ID'",
"result": "deny",
"deny_message": "Don'\''t create issues in the production project. Use the staging project."
}
]
}'
# 允许工具执行
ant beta:sessions:events send \
--session-id "$SESSION_ID" \
--event "{type: user.tool_confirmation, tool_use_id: $AGENT_TOOL_USE_EVENT_ID, result: allow}"
# 或者拒绝并附带解释
ant beta:sessions:events send \
--session-id "$SESSION_ID" \
--event "{type: user.tool_confirmation, tool_use_id: $MCP_TOOL_USE_EVENT_ID, result: deny,
deny_message: Don't create issues in the production project. Use the staging project.}"
# 允许工具执行
client.beta.sessions.events.send(
session.id,
events=[
{
"type": "user.tool_confirmation",
"tool_use_id": agent_tool_use_event.id,
"result": "allow",
},
],
)
# 或者拒绝并附带解释
client.beta.sessions.events.send(
session.id,
events=[
{
"type": "user.tool_confirmation",
"tool_use_id": mcp_tool_use_event.id,
"result": "deny",
"deny_message": "Don't create issues in the production project. Use the staging project.",
},
],
)
// 允许工具执行
await client.beta.sessions.events.send(session.id, {
events: [
{
type: "user.tool_confirmation",
tool_use_id: agent_tool_use_event.id,
result: "allow"
}
]
});
// 或者拒绝并附带解释
await client.beta.sessions.events.send(session.id, {
events: [
{
type: "user.tool_confirmation",
tool_use_id: mcp_tool_use_event.id,
result: "deny",
deny_message: "Don't create issues in the production project. Use the staging project."
}
]
});
// 允许工具执行
await client.Beta.Sessions.Events.Send(session.ID, new()
{
Events =
[
new BetaManagedAgentsUserToolConfirmationEventParams
{
Type = "user.tool_confirmation",
ToolUseID = agentToolUseEvent.ID,
Result = "allow",
},
],
});
// 或者拒绝并附带解释
await client.Beta.Sessions.Events.Send(session.ID, new()
{
Events =
[
new BetaManagedAgentsUserToolConfirmationEventParams
{
Type = "user.tool_confirmation",
ToolUseID = mcpToolUseEvent.ID,
Result = "deny",
DenyMessage = "Don't create issues in the production project. Use the staging project.",
},
],
});
// 允许工具执行
_, err = client.Beta.Sessions.Events.Send(ctx, session.ID, anthropic.BetaSessionEventSendParams{
Events: []anthropic.BetaManagedAgentsEventParamsUnion{{
OfUserToolConfirmation: &anthropic.BetaManagedAgentsUserToolConfirmationEventParams{
Type: anthropic.BetaManagedAgentsUserToolConfirmationEventParamsTypeUserToolConfirmation,
ToolUseID: agentToolUseEvent.ID,
Result: anthropic.BetaManagedAgentsUserToolConfirmationEventParamsResultAllow,
},
}},
})
if err != nil {
panic(err)
}
// 或者拒绝并附带解释
_, err = client.Beta.Sessions.Events.Send(ctx, session.ID, anthropic.BetaSessionEventSendParams{
Events: []anthropic.BetaManagedAgentsEventParamsUnion{{
OfUserToolConfirmation: &anthropic.BetaManagedAgentsUserToolConfirmationEventParams{
Type: anthropic.BetaManagedAgentsUserToolConfirmationEventParamsTypeUserToolConfirmation,
ToolUseID: mcpToolUseEvent.ID,
Result: anthropic.BetaManagedAgentsUserToolConfirmationEventParamsResultDeny,
DenyMessage: anthropic.String("Don't create issues in the production project. Use the staging project."),
},
}},
})
if err != nil {
panic(err)
}
// 允许工具执行
client.beta().sessions().events().send(
session.id(),
EventSendParams.builder()
.addEvent(
BetaManagedAgentsUserToolConfirmationEventParams.builder()
.type(BetaManagedAgentsUserToolConfirmationEventParams.Type.USER_TOOL_CONFIRMATION)
.toolUseId(agentToolUseEvent.id())
.result(BetaManagedAgentsUserToolConfirmationEventParams.Result.ALLOW)
.build()
)
.build()
);
// 或者拒绝并附带解释
client.beta().sessions().events().send(
session.id(),
EventSendParams.builder()
.addEvent(
BetaManagedAgentsUserToolConfirmationEventParams.builder()
.type(BetaManagedAgentsUserToolConfirmationEventParams.Type.USER_TOOL_CONFIRMATION)
.toolUseId(mcpToolUseEvent.id())
.result(BetaManagedAgentsUserToolConfirmationEventParams.Result.DENY)
.denyMessage("Don't create issues in the production project. Use the staging project.")
.build()
)
.build()
);
use Anthropic\Beta\Sessions\Events\ManagedAgentsUserToolConfirmationEventParams;
// 允许工具执行
$client->beta->sessions->events->send(
$session->id,
events: [
ManagedAgentsUserToolConfirmationEventParams::with(
type: 'user.tool_confirmation',
toolUseID: $agentToolUseEvent->id,
result: 'allow',
),
],
);
// 或者拒绝并附带解释
$client->beta->sessions->events->send(
$session->id,
events: [
ManagedAgentsUserToolConfirmationEventParams::with(
type: 'user.tool_confirmation',
toolUseID: $mcpToolUseEvent->id,
result: 'deny',
denyMessage: "Don't create issues in the production project. Use the staging project.",
),
],
);
# 允许工具执行
client.beta.sessions.events.send_(
session.id,
events: [
{
type: "user.tool_confirmation",
tool_use_id: agent_tool_use_event.id,
result: "allow"
}
]
)
# 或者拒绝并附带解释
client.beta.sessions.events.send_(
session.id,
events: [
{
type: "user.tool_confirmation",
tool_use_id: mcp_tool_use_event.id,
result: "deny",
deny_message: "Don't create issues in the production project. Use the staging project."
}
]
)
自定义工具
权限策略不适用于自定义工具。当 Agent 调用自定义工具时,你的应用程序会收到 agent.custom_tool_use 事件,并负责决定是否执行它,然后发送 user.custom_tool_result。参见会话事件流了解完整流程。