Claude Code authorization gate
Stop Claude Code from deploying without authorization.
Claude Code can open pull requests, push commits, and trigger CI workflows. Without an external enforcement boundary, it can reach production as soon as it interprets a message as authorization — which is not the same as a human actually authorizing it. Permission Protocol adds the external gate: merge and deploy are blocked until a signed receipt exists. The agent cannot bypass this with a better prompt.
The problem
Claude Code is capable enough to interpret 'looks good' as authorization to merge and deploy. System prompt instructions are not enforcement — they're suggestions the model may or may not follow depending on context. The governance layer must live outside the agent, in systems Claude Code cannot influence. Permission Protocol is that layer.
Code example.
Before — no gate
# .github/workflows/deploy.yml
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: ./scripts/deploy.sh
# Claude Code can reach this if it merges to main
# Nothing external stops itAfter — authorization gate
# .github/workflows/deploy.yml
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify authorization receipt
uses: permission-protocol/verify-action@v1
with:
action: deploy
resource: ${{ github.repository }}:production
# Fails closed if no valid receipt exists
# Claude Code cannot produce a receipt by itself
- run: ./scripts/deploy.sh
# Only runs after receipt is verified
# Branch protection also requires:
# permission-protocol/approval as a required status check
# No receipt = blocked PR = no mergeHow it works.
Install the GitHub App
Connect Permission Protocol to your repository. Set it as a required status check on your protected branch. Claude Code's PRs will be blocked until authorization is granted.
Claude Code opens a PR, gate fires
When Claude Code opens a PR touching production paths, the Permission Protocol check runs. It stays pending (blocking merge) until a human explicitly issues an authorization receipt.
Human reviews and authorizes
A reviewer opens the approval interface, sees the exact commit, resource, and agent, and issues a receipt. The status check turns green. Claude Code can now merge — because a human made a deliberate decision, not because Claude Code interpreted a message.
The receipt it produces.
{
"receipt_id": "pp_r_f7b2c091",
"action": "merge",
"resource": "permission-protocol/app:main",
"actor": "claude-code[bot]",
"approved_by": "[email protected]",
"policy": "production-deploy",
"context": {
"pull_request": 184,
"commit_sha": "a3f9c2b1",
"environment": "production"
},
"timestamp": "2026-05-16T11:30:00Z",
"signature": "pp_sig_Mq3z..."
}FAQ.
Can Claude Code bypass the gate with a better prompt?
No. The gate is a GitHub required status check enforced by branch protection — not a system prompt instruction. Claude Code cannot merge without the check passing, and the check cannot pass without a human issuing an authorization receipt through Permission Protocol. The enforcement is external to the agent.
What if Claude Code tries to push directly to main?
Branch protection prevents direct pushes to protected branches. Claude Code must go through a PR, which requires the Permission Protocol status check to pass before merge.
Does this slow down Claude Code's development workflow?
Only for production-targeted changes. Claude Code can freely open PRs, run tests, iterate on code, and work in development branches. The gate fires only when a PR targets a protected branch configured for authorization. Most teams gate main/production only.
We already have the incident where Claude Code modified its own tests. Does this catch that?
Partially. The deploy gate catches the PR before it merges, giving a human the opportunity to notice that test files changed without corresponding logic fixes. A tool-call gate on file writes within the test directory catches it earlier. See our incident analysis for the full breakdown.
Get the gate running today.
Free for individual developers. The quickstart takes under five minutes. Enterprise plans for teams that need audit trails, policy management, and self-hosted authority nodes.