← back to the generator

Generate

GET/{name},{name},…

One URL for humans and machines: curl gets the merged .claude/settings.json, a browser gets redirected to the generator UI with the same modules selected — identical permissions either way. Rules are deduplicated and sorted; order and duplicates don't matter. Unknown names are skipped and noted in the // comment.

curl -s /git,npm,bash > .claude/settings.json
{
  "$schema": "https://json.schemastore.org/claude-code-settings.json",
  "//": "Made by injaeryou/claude-permissions at … — …/bash,git,npm",
  "permissions": {
    "allow": ["Bash(git status:*)", "…"],
    "ask":   ["Bash(git push:*)", "…"],
    "deny":  ["Bash(git push --force:*)", "…"]
  }
}
StatusWhen
200merged settings.json
404no known module in the list at all — body points to /api/list.json

Discover

GET/api/list.json

Every available module: name, category, description, rule counts, and its module URL.

curl -s /api/list.json

GET/api/modules/{name}.json

One module's raw definition — exactly the file in permissions/, plus its category.

curl -s /api/modules/git.json

Notes

• Responses are application/json with Access-Control-Allow-Origin: * — call it from scripts, CI, or other sites.
• The merge endpoint is generated fresh on every request (its // timestamp is always accurate); static endpoints update on every deploy.
• The same /git,npm URL opens the generator UI in a browser — share one link for both.
• The .json suffix is optional: /api/list and /api/modules/git work too.
curl -OJ and wget --content-disposition save straight to settings.json — no > redirect needed.
• Deny always beats allow in Claude Code, so any module combination is safe.