Generate
GET/{name},{name},…
One URL for humans and machines: curl gets the merged .claude/settings.json,
a browser gets redirected to the generator UI with the same modules selected — identical
permissions either way. Rules are deduplicated and sorted; order and duplicates don't matter.
Unknown names are skipped and noted in the // comment.
curl -s /git,npm,bash > .claude/settings.json
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"//": "Made by injaeryou/claude-permissions at … — …/bash,git,npm",
"permissions": {
"allow": ["Bash(git status:*)", "…"],
"ask": ["Bash(git push:*)", "…"],
"deny": ["Bash(git push --force:*)", "…"]
}
}
| Status | When |
|---|---|
| 200 | merged settings.json |
| 404 | no known module in the list at all — body points to /api/list.json |
Discover
GET/api/list.json
Every available module: name, category, description, rule counts, and its module URL.
curl -s /api/list.json
GET/api/modules/{name}.json
One module's raw definition — exactly the file in permissions/, plus its category.
curl -s /api/modules/git.json
Notes
• Responses are application/json with Access-Control-Allow-Origin: * — call it from scripts, CI, or other sites.
• The merge endpoint is generated fresh on every request (its // timestamp is always accurate); static endpoints update on every deploy.
• The same /git,npm URL opens the generator UI in a browser — share one link for both.
• The .json suffix is optional: /api/list and /api/modules/git work too.
• curl -OJ and wget --content-disposition save straight to settings.json — no > redirect needed.
• Deny always beats allow in Claude Code, so any module combination is safe.