What does the fallbackModel setting actually do in Claude Code?

It configures up to three alternative models Claude Code tries in order when your primary model returns a 529 overloaded error. If Opus 4.8 is overloaded, Claude Code automatically retries your current turn with the first fallback. If that also fails, it tries the second, and so on. Auth errors, rate-limit errors, and transport errors still surface immediately without using the fallback chain.

Where do I add the fallbackModel setting?

In your `settings.json` file. For user-wide settings that apply to all projects, that is `~/.claude/settings.json`. For project-specific settings, use `.claude/settings.json` at the project root. You can also pass `--fallback-model` as a CLI flag per session, which now applies to interactive sessions as well as background workers.

What exactly changed about SendMessage in multi-agent Claude Code setups?

Messages arriving via `SendMessage` from another Claude session no longer carry user-level authority. Before v2.1.166, an orchestrator session could relay messages framed as user instructions and worker sessions would treat them with user-level trust. After v2.1.166, relayed messages are stripped of user authority, receivers refuse relayed permission requests, and auto mode blocks them entirely. Only a direct human interaction can grant permissions.

Does the fallback trigger on errors other than 529 overloads?

The fallback triggers on 529 overload errors and on unexpected non-retryable API errors. It does not trigger on server downtime, invalid model identifiers, or most other failure modes. There is an open GitHub issue tracking this limitation, as some developers expected it to cover a broader set of failure scenarios.

If I am on the Pro plan, which models can I use as a fallback?

You can configure any model your plan tier can access. Pro plan subscribers have access to Sonnet and Haiku by default. If you set a fallback to a model outside your plan's access (such as Opus on a basic plan), the fallback attempt returns an auth error rather than a 529, and no further fallbacks in the chain are tried. Verify plan access for every model in your fallback list before relying on the chain in production.

Claude Code Adds Fallback Models and Tightens Agent Security - v2.1.166 routes around overloads with a fallbackModel setting and closes a privilege escalation gap in multi-agent SendMessage workflows

Claude Code v2.1.166, released June 6, ships two changes that directly affect vibecoders running Opus 4.8 in production: a fallbackModel setting that automatically routes around API overload errors, and a security boundary that closes a privilege escalation path in multi-agent workflows built on SendMessage. If you have hit 529 overloaded errors in the past two weeks, the fix is a five-line config change.

What Has Been Causing the Overload Interruptions

The HTTP 529 overloaded_error appears when Anthropic's shared model capacity is saturated for the model your session is requesting. The error has been documented across multiple GitHub issue threads since Opus 4.8 became the default model for Max and Team Premium accounts in late May. Reports cluster around US business hours on Tuesday through Thursday, roughly 10 a.m. to 2 p.m. PST, when developer demand peaks.

Before v2.1.166, Claude Code applied internal retry with exponential backoff on 529 errors. For brief overloads that cleared in seconds, this worked fine. For sustained capacity saturation during peak hours, the session would exhaust its retries and surface the error to the user, stopping whatever the agent was in the middle of doing. On a 30-minute autonomous refactor run, hitting a hard stop at minute 22 means restarting from context rather than from where the work left off.

Key Takeaway

Add "fallbackModel": ["claude-sonnet-4-6"] to your ~/.claude/settings.json or project .claude/settings.json. When Opus 4.8 is overloaded, Claude Code automatically tries the fallback instead of stopping. The --fallback-model flag now also applies to interactive sessions, not just background workers. Configure it today if you run long agentic sessions during peak hours.

How Do You Configure the Fallback Model Setting

The setting belongs in your settings.json. Add it at the user level for global coverage, or at the project level for per-project control:

{
  "model": "claude-opus-4-8",
  "fallbackModel": ["claude-sonnet-4-6", "claude-haiku-4-5-20251001"]
}

Claude Code tries fallbacks in array order. If Opus 4.8 is overloaded, it moves to Sonnet 4.6. If Sonnet is also overloaded, it tries Haiku. You can specify one, two, or three fallbacks. A session flag also works without touching your config file:

claude --fallback-model claude-sonnet-4-6

The retry applies once per turn, not indefinitely. If the first fallback is overloaded, Claude Code moves to the second, and if all configured fallbacks fail, it surfaces the error rather than queuing forever. Auth errors, rate-limit errors, request-size errors, and transport errors bypass the fallback chain entirely and surface immediately.

For most use cases, a single Sonnet 4.6 fallback is the right configuration. Sonnet handles the majority of coding tasks Opus takes on, runs measurably faster, and costs less when the fallback triggers. Haiku as a second fallback is useful when maximum session continuity matters more than model quality, such as during a long overnight agent run.

EXPLAINER DIAGRAM: Flowchart on a light gray background. At top, a royal blue rectangle labeled PRIMARY MODEL OPUS 4.8 with a downward arrow splitting into two paths. Left path labeled SUCCESS in green text leads to a green rounded rectangle labeled SESSION CONTINUES. Right path labeled 529 OVERLOAD in red text leads to a yellow diamond decision shape labeled FALLBACK CONFIGURED? Two arrows out of diamond: left path labeled NO leads to a red rounded rectangle labeled SESSION STOPS. Right path labeled YES leads to a sky blue rectangle labeled TRY FALLBACK 1 SONNET 4.6, which splits again into SUCCESS (green, SESSION CONTINUES) and 529 (orange, TRY FALLBACK 2 HAIKU in light orange rectangle). Bold black header at top reads FALLBACK MODEL ROUTING v2.1.166. Small gray footer reads claude-code june 6 2026.

On a 529 overload, Claude Code tries each configured fallback in order. The retry happens once per turn; if all fallbacks are overloaded the error surfaces to the user rather than queuing indefinitely.

One failure mode to watch: if you configure a fallback model your plan cannot access, the fallback attempt fails with an auth error rather than another 529, and that surfaces immediately without further retries. Test your fallback chain against a real overload period, or at least verify your plan has access to every model in the chain, before relying on it in a production agent run.

Why Did Cross-Session Messaging Change in Multi-Agent Work

The second significant change in v2.1.166 addresses how trust authority propagated across Claude Code sessions connected by SendMessage.

SendMessage lets one Claude session relay messages to another. In a multi-agent setup, an orchestrator session typically spawns worker sessions and directs them through this channel. Before v2.1.166, a message arriving via SendMessage could carry user-level authority if the orchestrating session framed it as a user instruction. A worker receiving such a message treated it with the same trust as a direct human input.

This created a privilege escalation path through the orchestration layer. A compromised or prompt-injected orchestrator could relay permission grant requests that appeared to come from the user. Worker sessions running in auto mode would then act on those grants without a real human confirmation. The attack surface is narrow in practice but meaningful for teams running complex multi-agent pipelines on sensitive codebases or production infrastructure.

In v2.1.166, this is corrected. Messages relayed via SendMessage from other Claude sessions are now marked explicitly as non-user-authority messages. Receiver sessions refuse relayed permission requests outright. Sessions running in auto mode block them entirely. A permission grant now requires a direct human interaction, regardless of how it arrives.

EXPLAINER DIAGRAM: Two-panel comparison on white background with light border. Left panel labeled BEFORE v2.1.166 in gray, header text. Inside: three stacked dark blue rounded rectangles connected by downward arrows: top labeled HUMAN USER, middle labeled ORCHESTRATOR AGENT, bottom labeled WORKER AGENT. Arrow from ORCHESTRATOR to WORKER is red and labeled SENDMESSAGE CARRIES USER AUTHORITY. A small red warning triangle icon beside the arrow. Second red label below: PERMISSION REQUESTS ACCEPTED. Right panel labeled AFTER v2.1.166 in teal, header text. Same three stacked dark blue rectangles. Arrow from ORCHESTRATOR to WORKER is green and labeled SENDMESSAGE NON-USER AUTHORITY. Green checkmark icon. Label below in teal: PERMISSION REQUESTS BLOCKED. A small green badge at bottom reads ONLY HUMAN CAN GRANT PERMISSIONS. Bold black header at very top: SENDMESSAGE SECURITY CHANGE.

Before v2.1.166, messages relayed via SendMessage could carry user authority. After v2.1.166, relayed messages are stripped of that authority and permission requests from them are refused by receivers.

For vibecoders running a single orchestrator directing a handful of worker sessions on a coding project, this change is transparent. For anyone whose orchestrator was relaying permission grants to workers as part of an automation workflow, those grants now fail. The fix is to restructure the workflow so permissions come from a human-in-the-loop step rather than an orchestrated relay.

Stay current on Claude Code releases as they land

The Vibe Coder Blog covers model releases, tool updates, and agentic workflow shifts that matter to builders.

What Other Features Did v2.1.166 Include

Glob patterns in deny rules. Tool-name positions in deny rules now accept glob patterns. Setting "*" in the deny list blocks all tools. This makes blanket deny policies easier to write: deny everything, then allow specific tools by exception, rather than listing every tool name explicitly. Unknown tool names in deny rules now warn at startup, catching typos that previously silently failed to apply.

Thinking control. Setting MAX_THINKING_TOKENS=0, passing --thinking disabled, or toggling the per-model thinking setting now successfully disables extended thinking on models that use it by default when accessed via the Claude API. If you have tasks where you want raw speed over deliberation (quick lookups, formatting passes, short generation tasks), you can suppress the thinking step and reduce latency.

Update transparency. claude update now announces the target version before starting the download. Previously the command went silent during the download phase, making it unclear whether anything was happening. Small fix, useful when you care about tracking exactly which version a session is on before it switches mid-session.

Common Mistake

Configuring fallbackModel with a model your current plan cannot access. If you are on a Max plan using Opus 4.8 and you list Sonnet 4.6 as a fallback, that works fine. But if you list a model outside your plan's access tier, the fallback attempt fails with an auth error rather than a 529, and the error surfaces immediately without trying any further fallbacks. The auth failure does not trigger the next fallback in the chain. Check your plan's model access before writing your fallback list, and confirm it works during a low-stakes session before a long agent run.

What Does This Mean for Vibecoders Running Agentic Workflows

The fallback model is immediately actionable. Add it today if you have experienced 529 interruptions on Opus 4.8. The configuration takes under a minute and works at both user and project scope. For background workers and CI runs under --bg-exec or Claude Code GitHub Actions, the fallback now prevents hard session failures: workers degrade to the fallback model instead of stopping and leaving the task in an unknown partial state.

The SendMessage security change is a behavior break for anyone who built orchestration workflows that rely on relayed permission grants. That pattern was never the intended use of the feature, but if it was working for you before, it no longer does. The correction is to add an explicit human checkpoint where the permission grant is needed rather than routing it through the agent layer.

The two changes together describe a pattern in how Claude Code is maturing. The fallback model makes sessions more resilient to infrastructure conditions. The SendMessage security boundary makes multi-agent authority more precisely defined. Both are preconditions for running Claude Code workflows in production environments where a failed session costs real time, and where an ambiguous trust boundary is a liability.

Full release notes are in the v2.1.166 release on GitHub. The Claude Code changelog has the full v2.1.163 through v2.1.168 diff for this week's releases.

Frequently Asked Questions

Track Claude Code releases before they affect your agentic workflow

The Vibe Coder Blog publishes focused analysis for builders who ship with Claude.

Browse All Posts

Claude Code Adds Fallback Models and Tightens Agent Security

What Has Been Causing the Overload Interruptions

How Do You Configure the Fallback Model Setting

Why Did Cross-Session Messaging Change in Multi-Agent Work

What Other Features Did v2.1.166 Include

What Does This Mean for Vibecoders Running Agentic Workflows

Related Articles

Claude Code Security Plugin Scans for 25 Vulnerability Classes

Why Claude Agents Now Run Inside Your Private Network

Mini Shai-Hulud npm Attack Targets Your Claude Code Config

Windsurf Is Now Devin Desktop and Cascade Is Deprecated

The Tuesday Shipping Report