Push events into a running session with channels - Claude Code Docs

Detailed Analysis

Anthropic has introduced a feature called "channels" to Claude Code, enabling real-time event delivery into active coding sessions through a Model Context Protocol (MCP) server architecture. Unlike traditional integrations that either spawn new cloud sessions or rely on polling mechanisms, channels push messages directly into whichever session the user already has open. The feature supports two-way communication, meaning Claude can not only receive inbound messages from platforms like Telegram, Discord, and iMessage, but also reply back through those same platforms — with inbound messages visible in the terminal and outbound replies appearing natively on the originating platform. A localhost demo tool called "fakechat" is provided to let developers test the plugin flow before connecting to live external services.

The security architecture underlying channels reflects Anthropic's recognition that remote message delivery into an active AI coding session carries meaningful risk. Every approved channel plugin maintains a sender allowlist that silently drops messages from any unapproved source. Telegram and Discord use a pairing-code bootstrap flow to populate this allowlist, while iMessage allows direct self-messaging and uses handle-based access control for additional contacts. Critically, Anthropic separates two distinct permission layers: a server must both appear in the `.mcp.json` configuration file and be explicitly named in the `--channels` flag at session startup, ensuring that passive configuration alone cannot activate a channel. This dual-gate model also governs permission relay — the capability for a channel to forward terminal permission prompts to the user remotely — meaning only allowlisted senders can approve or deny tool execution, a significant authority that the documentation explicitly flags.

Enterprise and organizational controls add a third governance layer on top of the user-level security model. For claude.ai Team and Enterprise accounts, channels are blocked by default and require explicit administrator enablement via the Admin console or managed settings. Console organizations operating with API key authentication have channels permitted by default unless they have deployed managed settings, in which case the same administrator-controlled `channelsEnabled` flag applies. A complementary `allowedChannelPlugins` setting lets administrators restrict which specific plugins can register once the master switch is enabled, replacing the Anthropic-maintained default list. Pro and Max individual users operating outside any organization bypass these organizational checks entirely and opt in on a per-session basis.

The channels feature represents a meaningful shift in how AI coding assistants interact with asynchronous, real-world workflows. Traditional CLI-based AI tools operate in a fundamentally synchronous model — a human types a command, the model responds, and both parties are co-present. Channels break this assumption by enabling Claude to act as a persistent, event-driven agent that responds to external triggers even when the developer is away from the terminal. The inclusion of an unattended mode via `--dangerously-skip-permissions` and non-interactive `-p` mode, which disables terminal-input-dependent tools to prevent session stalls, reveals that Anthropic is explicitly designing for autonomous background operation scenarios. This positions Claude Code not merely as an interactive coding assistant but as an ambient agent capable of handling asynchronous tasking pipelines across communication platforms.

Viewed in the broader context of agentic AI development, the channels architecture mirrors an industry-wide push toward AI systems that maintain persistent state and respond to environmental signals rather than waiting passively for human prompts. Anthropic's decision to ground the feature in the open MCP standard, and to publish a Channels reference for developers building custom plugins, signals an intent to foster an ecosystem of third-party integrations rather than controlling the full surface area of connectivity. The research-preview status of the current supported channels — Telegram, Discord, and iMessage — suggests Anthropic is stress-testing both the technical reliability and the security model before broader rollout. The careful layering of sender allowlists, organizational controls, and session-scoped opt-in flags indicates that Anthropic is acutely aware that a feature enabling remote message-triggered tool execution in a developer environment carries enterprise security implications that differ substantially from those of a standard chat interface.