Server data from the Official MCP Registry
Token-auth Notion MCP: pages, databases, blocks, comments, files. Runs headless in CI and agents.
Token-auth Notion MCP: pages, databases, blocks, comments, files. Runs headless in CI and agents.
Valid MCP server (1 strong, 1 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.
5 files analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: NOTION_TOKEN
Environment variable: NOTION_PAGE_ID
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-awkoy-notion-mcp-server": {
"env": {
"NOTION_TOKEN": "your-notion-token-here",
"NOTION_PAGE_ID": "your-notion-page-id-here"
},
"args": [
"-y",
"notion-mcp-server"
],
"command": "npx"
}
}
}From the project's GitHub README.
Give your AI full read/write access to Notion with one token and one paste. This is an agent-first Notion MCP server: your AI client (Claude Code, Claude Desktop, Cursor, VS Code, Cline, Zed — anything that speaks MCP) can create pages, query databases, append blocks, apply templates, comment, and upload files in natural language.
Three reasons it exists when Notion ships its own MCP:
notion_execute + notion_describe) dispatch 43 operations, instead of one tool schema per endpoint flooding your agent's context.Step 1 — get a Notion token (1 minute). Open app.notion.com/developers/tokens (the Personal access tokens page of Notion's developer portal) → + New token → name it, pick your workspace → Create token → copy the ntn_… value. That's it — a PAT sees everything you can see, no per-page sharing required. (Page missing or empty? Your admin disabled PATs — see auth alternatives.)
Step 2 — add the server to your client.
claude mcp add notion -s user \
-e NOTION_TOKEN=ntn_paste_your_token_here \
-- npx -y notion-mcp-server
Click the badge (then replace YOUR_NOTION_TOKEN in the generated entry), or add to ~/.cursor/mcp.json yourself:
{
"mcpServers": {
"notion": {
"command": "npx",
"args": ["-y", "notion-mcp-server"],
"env": { "NOTION_TOKEN": "ntn_paste_your_token_here" }
}
}
}
VS Code prompts for the token on install and stores it as a secret input.
Easiest: the one-click extension. Download notion-mcp-server.mcpb from the latest release, double-click it (or drag into Claude Desktop → Settings → Extensions), paste your Notion token when prompted — done. No config files, Node.js not required.
Or via the config file: Settings → Developer → Edit Config, then add:
{
"mcpServers": {
"notion": {
"command": "npx",
"args": ["-y", "notion-mcp-server"],
"env": { "NOTION_TOKEN": "ntn_paste_your_token_here" }
}
}
}
Quit Claude Desktop fully (Cmd+Q / tray → Quit) and reopen. Never used a config file before? Follow the step-by-step walkthrough for non-developers — it assumes nothing.
claude mcp add notion -s user \
-e NOTION_TOKEN=ntn_paste_your_token_here \
-- docker run --rm -i -e NOTION_TOKEN ghcr.io/awkoy/notion-mcp-server:latest
The -i flag is required (stdio transport). The image is OCI-compliant — Podman, OrbStack, colima, Rancher Desktop, Finch, and nerdctl all work with the same flags.
Step 3 — try it. In a new chat:
"Use Notion to make a page called 'Hello from my agent' and add a checklist of three things to try today."
Your AI calls notion_execute and replies with a live page link.
where filters, flattened rowsget_page_markdown → edit → update_page_markdown)Full capability list in Features; the complete operation catalog (43 ops) is in the Operations menu.
Three options exist. Honest guidance:
| Best for | Auth | Headless / CI | Notes | |
|---|---|---|---|---|
Notion hosted MCP (mcp.notion.com) | Interactive chat in claude.ai, ChatGPT, Cursor | OAuth (human must click) | ❌ | First-party, 18 markdown tools, some plan-gated |
| Official open-source server | — | Token | ✅ | Notion has soft-deprecated it (“may sunset this repository… issues and PRs not actively monitored”) |
| This server | Agents, automation, CI, self-hosting, token-sensitive workloads | Token (PAT) | ✅ | Actively maintained, agent-first design below |
If you just want to chat with your Notion in claude.ai's web UI, use Notion's hosted connector — it's one click. Use this server when your agent runs unattended, when context/token cost matters, or when you want batch/idempotent semantics and self-hosting.
| Capability | Official Notion MCP (open source) | This server |
|---|---|---|
| Tool surface | ~24 tools (one per endpoint) loaded into context | 2 tools — the LLM loads ~90% less schema |
| Operations covered | ~24 endpoints | 43 operations (plus a trash_page alias) across pages, blocks, databases, data sources, views, templates, comments, users, files |
| Batch mutations | Not documented | ✅ Universal { items: [...] } envelope; up to 10 in parallel |
| Atomic batches + rollback | Not documented | ✅ atomic: true aborts on first failure, best-effort archives entities created earlier |
| Idempotency | Not documented | ✅ idempotency_key — same key + op returns the cached result for 5 minutes |
| Rate-limit handling | 429s bubble up | ✅ Token-bucket limiter (3 req/s default) + exponential backoff, honors Retry-After |
| Response shapes | Raw Notion SDK JSON | Slim shapers drop noise by default; verbose: true opts out |
| Database queries | Raw properties bag per row | Flattened name → primitive map (all 20+ property types) |
| Wire format | Default SDK serialization | Compact JSON — ~30% smaller payloads |
| Markdown | Page-level markdown tools | ✅ Markdown accepted by create_page / append_blocks / update_block / comments + full round-trip (get_page_markdown / update_page_markdown), full GFM |
| Templates | — | ✅ create_page from a Notion template + list_data_source_templates discovery |
| File uploads | Not in the documented tool surface | ✅ Single- and multi-part (5 MB chunks), MIME inferred |
| Validation errors | Plain error string | Self-healing: { code, message, path, issues, schema, example, fix } — corrected in one round-trip |
| Notion API version | — | Pinned 2026-03-11 (data sources, views, templates) |
Real-world impact:
notion_execute call with { items: [...], concurrency: 10 } instead of 50 separate tool calls through the agent's reasoning loop: roughly an order of magnitude faster, and the prompt-token savings are the bigger win.properties bag, with no information loss.A Personal Access Token (PAT) is like a key that lets the AI act as you inside Notion — it sees every page you can see, with no per-page setup.
Open app.notion.com/developers/tokens while logged into Notion — that's the Personal access tokens page of Notion's developer portal (also reachable from the app via Settings → Connections → Develop or manage integrations → Personal access tokens in the sidebar).
Click + New token.
Name it (e.g. Claude), pick the workspace, leave the default Notion API capability checked, click Create token.
Copy the token now — Notion shows it only once. It starts with ntn_. Treat it like a password.
PATs expire 1 year after creation — set a reminder to rotate. No "Personal access tokens" tab? Your admin disabled them; use the Internal Integration alternative.
claude_desktop_config.json opens. Don't panic at the curly braces — it's just text.Cmd+A / Ctrl+A), delete, and paste:{
"mcpServers": {
"notion": {
"command": "npx",
"args": ["-y", "notion-mcp-server"],
"env": {
"NOTION_TOKEN": "ntn_paste_your_token_here"
}
}
}
}
This block tells Claude Desktop how to launch the connector.
npxdownloads and runs it automatically the first time. The only thing you change is the token.
ntn_paste_your_token_here with your token — keep the quotation marks.Cmd+S / Ctrl+S).Cmd+Q; Windows: tray icon → Quit) and reopen it.Type / in a new chat — you should see notion_execute and notion_describe in the list. Then ask:
"Use Notion to make a new page called 'Hello from Claude' and add a checklist of three things I want to try today."
Claude calls the tool and replies with a page link. If something's off, it's almost always a token typo or Claude Desktop not fully quit — see Troubleshooting.
Both use the same NOTION_TOKEN env var — only where you get the token differs.
| Personal Access Token (recommended) | Internal Integration (scoped) | |
|---|---|---|
| Where | app.notion.com/developers/tokens → + New token | app.notion.com/developers/connections → + New connection |
| Scope | Everything you can see | Only pages where you clicked • • • → Connect → <integration> |
| Friction | None | Per-page Connect step for every page/database |
| Use when | Default: personal + team workspaces, prototyping | Admin requires explicit per-resource scoping, or shared production bots |
💡 Most
object_not_founderrors are a wrong auth choice, not a bug: an Internal Integration token that was never Connected to the page. Switch to a PAT.
Can: read every page you have access to; create/update pages and databases where you have edit rights; comment as you; upload files. Can't: access pages you can't see; bypass workspace permissions; act as another user; change admin settings. A PAT's scope = your account — if you lose access to a page, so does the PAT. Issue separate tokens per teammate.
Expiry: PATs expire 1 year after creation (Notion docs); set a reminder for ~11 months.
Revoking: app.notion.com/developers/tokens → Revoke next to the token (immediate). Workspace admins can revoke anyone's from Settings & members → Connections → All personal access tokens.
Admin disabled PATs? Ask them to enable, or create an Internal Integration at app.notion.com/developers/connections (+ New connection) and • • • → Connect it to every page the agent should touch — same NOTION_TOKEN env var.
Official reference: PAT guide · Authorization overview.
| Env var | Required | Default | Meaning |
|---|---|---|---|
NOTION_TOKEN | ✅ | — | PAT (ntn_…, recommended) or Internal Integration secret (secret_… / ntn_…) |
NOTION_PAGE_ID | — | — | Default parent for create_page / create_database when no parent is passed (page → Share → Copy link; ID = last 32 chars) |
NOTION_RATE_LIMIT | — | 3 | Requests/second for the shared limiter (Notion's documented per-integration limit) |
NOTION_READ_ONLY | — | — | true/1/yes disables every write operation in one switch |
NOTION_ALLOWED_OPERATIONS | — | all | Comma-separated allowlist of operations or group presets — see Restricting operations |
NOTION_BLOCKED_OPERATIONS | — | — | Comma-separated blocklist (same vocabulary); wins over the allowlist |
HTTPS_PROXY / HTTP_PROXY | — | — | Route Notion API traffic through an HTTP(S) proxy (standard env vars, lowercase also accepted) |
NOTION_DAILY_LOG_PAGE_ID | — | — | Only used by the daily-log MCP prompt |
HTTP-transport variables (MCP_TRANSPORT, PORT, HOST, MCP_AUTH_TOKEN, …) are covered in Remote / HTTP transport.
Upgrading from v1.x? Your env vars all still work unchanged. The only break is the tool surface (v1's five tools became
notion_execute+notion_describe); modern clients rediscover tools automatically. Details: MIGRATION.md.
Limit what an agent can do with NOTION_ALLOWED_OPERATIONS (allowlist) and/or NOTION_BLOCKED_OPERATIONS (blocklist) — each a comma-separated list of group presets or exact operation names.
| Preset | Expands to |
|---|---|
read | every non-mutating operation |
write | every mutating operation |
destructive | operations whose purpose is removal (archive_page/trash_page, delete_block, batch_mixed_blocks, delete_comment, delete_view) |
pages blocks databases data_sources views comments users files | every operation in that family (read and write) |
Read-only deployment (most common):
{ "env": { "NOTION_TOKEN": "ntn_xxx", "NOTION_ALLOWED_OPERATIONS": "read" } }
Everything except destructive ops:
{ "env": { "NOTION_BLOCKED_OPERATIONS": "destructive" } }
Mix presets and individual ops:
{ "env": { "NOTION_ALLOWED_OPERATIONS": "read,append_blocks,add_page_comment" } }
Rules: case-insensitive; unknown tokens ignored with a warning; blocklist wins; an allowlist that resolves to zero operations disables everything (fail-closed). Disabled operations disappear from notion_describe and the notion://operations menu, and notion_execute rejects them with operation_not_allowed.
On startup the server logs one line to stderr summarizing what resolved — check it first if the config doesn't behave as expected:
Operation access: 20/44 enabled (allow=read; block=(none))
| Domain | Read | Write |
|---|---|---|
pages | search_pages get_page get_page_markdown | create_page set_page_title set_page_property set_page_properties update_page_markdown move_page restore_page archive_page† trash_page† |
blocks | get_block get_block_children | append_blocks update_block delete_block† batch_mixed_blocks† |
databases | query_database | create_database update_database |
data_sources | list_data_sources get_data_source list_data_source_templates | update_data_source |
views | list_views get_view query_view | create_view update_view delete_view† |
comments | list_comments get_comment | add_page_comment add_discussion_comment update_comment delete_comment† |
users | list_users get_user get_bot_user get_self | — |
files | list_file_uploads get_file_upload | upload_file |
† = also in the destructive group.
Limitations (control is per-operation, not per-parameter): a few write ops can remove content via a parameter — update_database / update_data_source accept in_trash, and update_page_markdown can replace a page body. Blocking destructive does not disable those. For a guaranteed no-mutation deployment use NOTION_ALLOWED_OPERATIONS=read or NOTION_READ_ONLY=true. MCP prompts may still mention disabled operations, but execution is rejected.
By default the server speaks stdio (the local path above). To run it as a remote/hosted endpoint — web clients, networked agents, shared deployments — set MCP_TRANSPORT=http:
MCP_TRANSPORT=http PORT=3000 NOTION_TOKEN=ntn_xxx npx -y notion-mcp-server
# -> notion-mcp-server vX.Y.Z running on http://127.0.0.1:3000/mcp
It serves MCP Streamable HTTP at POST/GET/DELETE /mcp (stateful sessions via the mcp-session-id header) plus an unauthenticated GET /health. It's single-tenant — every request acts as the one NOTION_TOKEN the process started with.
| env | default | meaning |
|---|---|---|
MCP_TRANSPORT | stdio | set to http to enable HTTP |
PORT | 3000 | listen port (0 = OS-assigned) |
HOST | 127.0.0.1 | bind address; set 0.0.0.0 to expose externally (only with MCP_AUTH_TOKEN) |
MCP_AUTH_TOKEN | — | when set, every /mcp request must send Authorization: Bearer <token> |
MCP_ALLOWED_HOSTS | localhost + bound host | comma-list for DNS-rebinding Host allowlist |
MCP_ALLOWED_ORIGINS | localhost origins | comma-list for browser Origin allowlist |
⚠️ Whoever reaches
/mcpacts as yourNOTION_TOKEN. On loopback (the default) that's just local processes. Before binding a non-loopbackHOST, setMCP_AUTH_TOKEN(the server warns if you don't) and/or front it with an authenticating reverse proxy.
Connect from clients that support headers (Claude Code, Cursor, VS Code):
claude mcp add --transport http notion https://your-host/mcp \
--header "Authorization: Bearer <MCP_AUTH_TOKEN>"
Try it locally:
curl http://127.0.0.1:3000/health
# -> {"status":"healthy","transport":"http","port":3000}
npx @modelcontextprotocol/inspector --transport http --server-url http://127.0.0.1:3000/mcp
In Docker:
docker run --rm -e NOTION_TOKEN=ntn_xxx -e MCP_TRANSPORT=http -p 3000:3000 ghcr.io/awkoy/notion-mcp-server
notion_execute (do it) + notion_describe (learn the shape). The whole API is one schema deep.{ items: [...], atomic?, idempotency_key?, concurrency? } with per-item validation and results.atomic: true aborts on first failure and archives anything created earlier in the batch.(operation, idempotency_key) returns the cached result for 5 minutes. Safe to retry on flaky networks.NOTION_RATE_LIMIT to change) with exponential backoff on 429/5xx/timeouts, honoring Retry-After.{ schema, example, fix } so the model corrects bad payloads in one round-trip.create_page / append_blocks / update_block / comment bodies accept a markdown string (full GFM: headings 1–4, lists, nested to-dos, blockquotes, fenced code with language detection, images, dividers, inline formatting), plus full round-trip via get_page_markdown / update_page_markdown.create_page can apply a data source's template (template: { type: "template_id" | "default" }), with list_data_source_templates to discover template IDs.query_view runs a view's stored filters/sorts and returns hydrated rows.where filter shorthand — query_database takes {Status: {equals: "Done"}, AND: [...]} and compiles it to Notion filter JSON (raw filter still accepted for edge cases).query_database rows flattened to name → primitive maps, compact JSON wire format (~30% smaller). verbose: true opts out per call.paginate: true on search_pages / list_comments / query_database walks next_cursor for you (default cap ≈ 1000 items).HTTPS_PROXY / HTTP_PROXY env vars for corporate networks.NOTION_READ_ONLY one-switch read-only mode plus per-operation allow/block lists.notion_execute & notion_describe)The server exposes exactly two MCP tools — your client loads two schemas regardless of which of the 43 operations gets called.
notion_executeRun any operation: { operation, payload }, where payload is a single object or { items: [...] } for batch mode.
// single call
{
"operation": "set_page_title",
"payload": { "page_id": "<page-id>", "title": "Q3 plan" }
}
// batch
{
"operation": "set_page_title",
"payload": {
"items": [
{ "page_id": "<p1>", "title": "First" },
{ "page_id": "<p2>", "title": "Second" }
],
"atomic": false,
"concurrency": 3,
"idempotency_key": "rename-pass-2026-07-02"
}
}
// markdown shortcut (create_page, append_blocks, update_block, update_page_markdown)
{
"operation": "create_page",
"payload": {
"parent": { "type": "page_id", "page_id": "<parent>" },
"title": "Notes",
"markdown": "# Heading\n\n- [ ] todo\n- [x] done\n\n```ts\nconst x = 1;\n```"
}
}
If a payload doesn't validate, the error response includes the operation's full JSON Schema, a working example, and a fix hint — the next call can be corrected without a notion_describe round-trip.
notion_describeReturns the JSON Schema + working example for one operation — useful before complex calls (filter expressions, mixed block batches, database property definitions).
{ "operation": "query_database" }
| Area | Operations |
|---|---|
| Pages | create_page, get_page, set_page_title, set_page_property, set_page_properties, archive_page (alias: trash_page), restore_page, search_pages, move_page, get_page_markdown, update_page_markdown |
| Blocks | append_blocks, get_block, get_block_children, update_block, delete_block, batch_mixed_blocks |
| Databases | create_database, query_database, update_database |
| Data sources | list_data_sources, get_data_source, update_data_source, list_data_source_templates |
| Views | list_views, get_view, query_view, create_view, update_view, delete_view |
| Comments | list_comments, add_page_comment, add_discussion_comment, get_comment, update_comment, delete_comment |
| Users | list_users, get_user, get_bot_user, get_self |
| Files | upload_file, list_file_uploads, get_file_upload |
The authoritative list (with batchability) is served as an MCP resource at notion://operations.
Clients that support resource attachment (@-mention) can pull Notion content into context without a tool call:
| Resource URI | Returns |
|---|---|
notion://operations | Markdown cheat sheet of every enabled operation |
notion://page/<page_id> | Page body as markdown |
notion://database/<data_source_id> | Data source schema as JSON |
Dynamic resources route through the same auth, rate limiting, and access gating as tool calls.
object_not_found / "Could not find …" — an Internal Integration token only sees pages explicitly Connected to it. Switch to a PAT to skip per-page sharing.NOTION_TOKEN in your client config, then confirm the token is still listed as Active at app.notion.com/developers/tokens.parent in the call, or set NOTION_PAGE_ID.multi_source_database from query_database — the database has multiple data sources. Call list_data_sources, then pass data_source_id instead of database_id.Cmd+Q, not window close) before reopening.-i flag is required: docker run --rm -i ….-e — use -e NOTION_TOKEN (forwards from parent env) or -e NOTION_TOKEN=ntn_xxx, not -e NOTION_TOKEN ntn_xxx.Still stuck? GitHub Issues · Notion API reference · MCP spec
A Model Context Protocol server that connects AI assistants — Claude, Cursor, VS Code Copilot, Cline, Zed, Continue, anything that speaks MCP — to your Notion workspace. It runs locally (or in Docker, or as an HTTP endpoint) and exposes two MCP tools the AI calls to read and write Notion. You authenticate once with a Notion token; everything else is natural language.
See the Quick start: get a PAT at app.notion.com/developers/tokens, then one claude mcp add command (Claude Code) or one JSON paste (Claude Desktop). Non-developers: the complete walkthrough assumes nothing.
Notion's hosted MCP (mcp.notion.com) is OAuth-only and built for interactive chat — it can't run headless. Their open-source server is soft-deprecated and exposes one tool per endpoint. This server authenticates with a token (works in CI/automation), exposes 2 tools dispatching 43 operations, batches mutations with idempotency and retries, and slims responses to cut token cost. See Which Notion MCP should you use?.
Cursor, VS Code (Copilot agent mode), Cline, Zed, Continue: yes — install badges and config blocks are in the Quick start. ChatGPT's built-in connectors require OAuth-hosted servers, so use Notion's hosted MCP there; developers can still reach this server from the OpenAI API's mcp tool by pointing it at a self-hosted HTTP endpoint with a bearer token.
The token lives in your MCP client's local config and is only sent to api.notion.com over HTTPS. The server is open source — read every line. A PAT has the same access you do, so don't paste it into untrusted clients, and revoke it at app.notion.com/developers/tokens if a laptop is lost. For agents that should never write, set NOTION_READ_ONLY=true.
Yes — anything that speaks MCP stdio (or Streamable HTTP) works. The server doesn't care what's on the other side of the protocol.
git clone https://github.com/awkoy/notion-mcp-server.git
cd notion-mcp-server
npm install
echo "NOTION_TOKEN=ntn_xxx" > .env
npm run build # tsc -> build/
npm test # vitest suite
npm run inspector # MCP inspector against the built binary
Local build instead of npx:
claude mcp add notion -s user \
-e NOTION_TOKEN=ntn_xxx \
-- node "$(pwd)/build/index.js"
^1.29.0); stdio + Streamable HTTP transports@notionhq/client@^5.22.0, pinned Notion-Version: 2026-03-11$defs deduplication for error envelopesremark / remark-gfmwithRetry with exponential backoff around every dispatched callverbose: true opt-outPRs welcome. Fork → branch → commit → push → PR. Run npm test before submitting.
MIT — see LICENSE.
mcp-name: io.github.awkoy/notion-mcp-server
Be the first to review this server!
by Modelcontextprotocol · Productivity
Knowledge graph-based persistent memory across sessions
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.