Critical: No way to bypass MCP tool approval prompts in VSCode extension
Critical Issue: No Way to Bypass MCP Tool Approval Prompts in VSCode Extension
Summary
The Claude Code VSCode extension requires manual approval for every MCP tool call, with no "Always Allow" option or working configuration to bypass these prompts. This makes MCP servers unusable for automation and unattended workflows.
Environment
- Claude Code Version: VSCode Extension v2.0.31 (anthropic.claude-code-2.0.31-win32-x64)
- VSCode Version: Latest
- OS: Windows 11
- MCP Server: bitbucket-mcp (custom MCP server for Bitbucket API)
- MCP Configuration: Configured in VSCode settings.json under
mcp.servers
The Problem
Current Behavior
- Every MCP tool call (e.g.,
mcp__bitbucket-mcp__getRepository,mcp__bitbucket-mcp__getPullRequests) triggers an approval dialog - The approval dialog only has Yes/No options - no "Always Allow" or "Remember this choice"
- This happens on EVERY single tool call, even repeated calls to the same tool
- The prompts persist across VSCode restarts
Expected Behavior
Users should be able to configure trusted MCP servers to run without approval prompts, especially for:
- Automation workflows (CI/CD pipeline management)
- Batch operations requiring multiple API calls
- Unattended operations (e.g., overnight automation)
What We've Tried (All Failed)
1. VSCode Extension Settings
Tried adding to settings.json:
{
"claudeCode.allowDangerouslySkipPermissions": true
}
Result: No effect on MCP tool prompts
2. User-Level Claude Code Settings
Created C:\Users\[user]\.claude\settings.json:
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"permissions": {
"defaultMode": "bypassPermissions",
"allow": [
"mcp__bitbucket-mcp__*",
"mcp__*"
]
}
}
Result: Settings file created and validated against schema, but MCP tools still require approval
3. MCP Server Configuration
Tried adding to MCP server config in settings.json:
{
"mcp.servers": {
"bitbucket": {
"command": "node",
"args": ["C:\\ak\\bitbucket-mcp\\dist\\index.js"],
"env": { "..." },
"alwaysAllow": ["*"]
}
}
}
Result: No effect
4. Multiple VSCode Restarts
Restarted VSCode multiple times after each configuration change.
Result: No change in behavior
Root Cause Analysis
After investigating the extension structure:
- Hardcoded Allowlist: The system prompt shows a hardcoded list of approved tools:
````
You can use the following tools without requiring user approval:
Bash(ls:*), Bash(where:*), Bash(find:*), ... etc
Notice: No MCP tools are in this list
- Binary Implementation: The approval logic appears to be in
claude.exe(compiled binary), not in configurable files
- Schema vs Implementation Gap: The
claude-code-settings.schema.jsondefinespermissions.defaultMode: "bypassPermissions", but this doesn't apply to MCP tools in the VSCode extension
Business Impact
Use Case: CI/CD Pipeline Automation
Scenario: Managing Bitbucket pipelines that take 2-3 hours to build
- Need to monitor pipeline runs, download logs, analyze failures
- Requires multiple Bitbucket API calls (get pipeline status, get logs, get PR details, etc.)
- Currently requires manual approval for EVERY API call
- Makes unattended automation completely impossible
Impact:
- Cannot run automation overnight
- Defeats the entire purpose of MCP servers for external API integration
- Forces workarounds (writing custom scripts instead of using MCP)
Comparison with CLI
Question: Does the CLI version of Claude Code (claude terminal command) respect the bypassPermissions configuration for MCP tools?
If yes, this represents a significant feature gap between CLI and VSCode extension.
Proposed Solutions
Option 1: Add "Always Allow" to Approval Dialog (Quick Fix)
Add checkbox to approval dialog:
☐ Always allow tools from this MCP server
[ Yes ] [ No ]
Option 2: Honor Existing Permission Settings (Proper Fix)
Make the VSCode extension respect .claude/settings.json:
permissions.defaultMode: "bypassPermissions"should work for MCP toolspermissions.allow: ["mcp__*"]should explicitly allow MCP tool patterns- Match behavior with CLI implementation
Option 3: MCP Server Trust Configuration
Add user-level trust configuration:
{
"trustedMcpServers": [
"bitbucket",
"github",
"custom-server"
]
}
Additional Context
Why This Matters
MCP servers are designed for external API integration. Many real-world APIs require multiple calls to accomplish tasks:
- GitHub: Get repo → List PRs → Get PR details → Get diff → Add comments
- Bitbucket: Get pipeline → Get steps → Get logs → Parse results
- Jira: Search issues → Get issue details → Update status → Add comments
Requiring manual approval for each call makes MCP unusable for these legitimate workflows.
Security Considerations
We understand the security concern about untrusted MCP servers. However:
- Users explicitly configure MCP servers in their settings
- MCP servers require authentication (API keys/tokens)
- Users should be able to trust their own configurations
- The current model provides security theater without actual usability
Reproduction Steps
- Install Claude Code VSCode extension v2.0.31
- Configure any MCP server in VSCode
settings.json:
``json``
{
"mcp.servers": {
"test-server": {
"command": "node",
"args": ["path/to/server.js"]
}
}
}
- Use Claude Code and ask it to call an MCP tool
- Observe: Approval dialog appears for every tool call
- Create
.claude/settings.jsonwith"defaultMode": "bypassPermissions" - Restart VSCode
- Try MCP tool again
- Observe: Still requires approval
Request
Please implement one of the proposed solutions to make MCP servers usable for automation workflows. This is blocking legitimate use cases for MCP functionality.
---
Generated: 2025-11-01
Reporter: Akhil Kumar (akhil@apra.in)
Environment: Windows 11, VSCode Extension v2.0.31
19 Comments
I'm experiencing the same issue with the chrome-devtools MCP server. I've tried every configuration combination mentioned in this thread and more:
Configurations attempted (none worked):
.claude/settings.json:```json
{
"enableAllProjectMcpServers": true,
"permissions": {
"allow": ["*"],
"defaultMode": "bypassPermissions"
}
}
{
"claude-code.mcpServers.autoApproveTools": true,
"claude-code.mcpServers.autoApprove": ["chrome", "chrome-devtools"],
"mcpServers": {
"chrome": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-google-chrome"],
"autoApprove": ["*"]
}
}
}
{
"servers": {
"chrome-devtools": {
"command": "npx",
"args": ["-y", "chrome-devtools-mcp@latest"],
"autoApprove": ["*"]
}
}
}
I was able to do it using the
permissionskey in settings.json:Found a workaround, but wildcards still need fixing
I ran into this same issue and found what's going on. The wildcard syntax (
mcp__[server-name]__*) doesn't work insettings.jsonfor MCP tools, but specifying the actual tool names does.What works:
What doesn't work (but should):
So yeah, you can get around the constant prompts by listing out each tool explicitly in your
.claude/settings.json. Not ideal since you have to know all the tool names upfront, but it does actually work.The wildcard syntax really should be supported though - it's tedious to manually list every tool, especially for MCP servers with lots of tools. Would be great to get this fixed so
mcp__[server-name]__*works as expected.See the alert at the end of this section: https://code.claude.com/docs/en/iam#configuring-permissions
Yes it worked for me, the prefix 'mcp__' is needed otherwise it is not working the definition of my tool is in my .claude.json file under the windows user home dir.
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
its still a problem, I think it respects the .claude/settings.local.json but we need an option for "Always allow tools from this MCP server", as described in the original ticket the approval dialog only has Yes/No options - no "Always Allow" or "Remember this choice"
It continues to be an issue, we do not see any official Anthropic response yet. so pls do not close it.
Still waiting.
I've got this problem, very annoying
Waiting ...
Any update? I faced this issue even with normal command which "always allow" already.
It happens in Claude Desktop too.
You can just place the following in your %userprofile%/.claude/settings.json
I had to restart my pc before it started working. StatusLine means this:
<img width="993" height="157" alt="Image" src="https://github.com/user-attachments/assets/4be5f650-1501-4c0c-aa7c-23c57b5b153d" />
You can modify your status-line using
npx -y ccstatusline@latestThis issue has been automatically closed due to 60 days of inactivity. If you're still experiencing this issue, please open a new issue with updated information.
Why is this closed and marked as "not planned"? We have people still reporting this issue.
CC: @bcherny
This issue was closed incorrectly despite recent human comments. This behavior of the bot is reported at https://github.com/anthropics/claude-code/issues/16497. Please upvote that issue, so maybe it gets noticed.
+1 — experiencing this exact pain point specifically with Claude Code running as an MCP server in Claude for Desktop.
Read-only tools like
Read,Grep,Glob,WebSearch, andWebFetchare already auto-allowed in the Claude Code CLI (they never prompt for permission, because they can't modify anything). But when the same tools are called through MCP in Claude Desktop, every single call triggers a permission prompt with no way to permanently allow them.At minimum, read-only / non-destructive MCP tool calls should be allowlistable — either globally or per-server. Ideally Claude Desktop would respect the same permission tiers that Claude Code CLI already uses (read-only = auto-allowed, write = ask, etc.).
This is the #1 friction point in using Claude Code as an MCP server in Claude Desktop.
This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.