Remote routines cannot bypass MCP tool approval gate (CreateSessionRequest has no permission_mode field)
Summary
Remote scheduled routines (created via /schedule / RemoteTrigger API) cannot bypass the Claude Code MCP tool approval prompt. Every MCP tool call inside a routine hits a "needs your approval to proceed" gate, but headless remote runs have no UI to approve, so the routine fails. There appears to be no equivalent of --dangerously-skip-permissions exposed in the API schema.
Steps to reproduce
- Create a routine that calls any MCP connector (e.g., Google Drive
search_files, Notionnotion-create-pages). - Run it (cron-scheduled or manual
RemoteTrigger run). - The routine logs:
````
Used Google-Drive: search files
The Google Drive tool needs your approval to proceed — please allow the MCP call when prompted. Re-attempting now.
- The agent loops on approval prompts and never completes the workflow. No Notion row / Drive interaction actually happens.
What I tried (all failed)
| Attempt | Where | Result |
|---|---|---|
| mcp_connections[].permitted_tools: ["search_files", "read_file_content", …] | mcp connection | HTTP 200 — but approval still required |
| mcp_connections[].permitted_tools: ["*"] | mcp connection | HTTP 200 — but approval still required |
| session_context.allowed_tools: ["mcp__Google-Drive", "mcp__Google-Drive__search_files", …] | session | HTTP 200 — but approval still required |
| session_context.permission_mode: "bypassPermissions" | session | HTTP 400 unknown field "permission_mode" |
| session_context.dangerously_skip_permissions: true | session | HTTP 400 unknown field |
| session_context.bypass_permissions: true | session | HTTP 400 unknown field |
| session_context.skip_permissions: true | session | HTTP 400 unknown field |
| session_context.auto_approve: true | session | HTTP 400 unknown field |
| session_context.settings: {permissions: {allow: [...]}} | session | HTTP 400 unknown field |
| session_context.permissions: {allow: [...]} | session | HTTP 400 unknown field |
| session_context.env: {CLAUDE_DANGEROUSLY_SKIP_PERMISSIONS: "1"} | session | HTTP 400 unknown field |
| job_config.ccr.permission_mode / bypass_permissions | ccr | HTTP 400 unknown field |
The server reports the proto type as CreateSessionRequest (error: translate job_config v1→v2: job_config is not a valid CreateSessionRequest: proto: ... unknown field).
Expected behavior
Routines should provide a way to either:
- Auto-approve all MCP tool calls (
permission_mode: "bypassPermissions"), OR - Auto-approve a specific allowlist of MCP tools via either:
permitted_toolsonmcp_connections[](the field exists but does not actually skip approval), orallowed_toolsonsession_context(the field exists but does not actually skip approval for MCP tools)
Actual behavior
permitted_tools and allowed_tools are silently no-ops for MCP approval. The routine cannot run unattended. Any routine that depends on connectors other than the Claude GitHub App (which appears bypassed) is effectively broken.
Impact
- Two of my production routines (daily meeting memo sync, weekly SQA bug batch) have been silently failing since the connectors were attached. There is no error surfaced to the cron scheduler —
last_fired_atupdates but no Notion/Drive writes happen. - Workaround: rewrite the routines to call Notion/Google REST APIs directly via
Bash+curl+ tokens stored in a private git source. This defeats the purpose of MCP connectors.
Workaround proposed (not great)
- Skip MCP. Bake long-lived integration tokens into a private repo cloned as
sources. UseBash+curlfor everything.
Ask
Please expose permission_mode (or equivalent) on CreateSessionRequest for routines, OR make permitted_tools/allowed_tools actually skip approval as their naming suggests.
Environment
- Routine API used via Claude Code in-process auth (no curl).
- Tested on env
env_01WaEV5cppQjQegViV3rcxEM(Default, anthropic_cloud). - Model:
claude-sonnet-4-6. - Connectors: Google Drive (
a0cc30be-…), Notion (9456db5b-…).
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗