Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 95 additions & 27 deletions product/admin/mcp-server/notion.mdx
Original file line number Diff line number Diff line change
@@ -1,31 +1,103 @@
---
title: Set up the Notion MCP server
description: Connect Notion to C1 with per-user OAuth or an internal integration secret, then register the Notion MCP server and govern its tools.
description: Connect Notion to C1 through the Notion API or Notion's own hosted MCP server, then register the server and govern its tools.
og:title: Set up the Notion MCP server
og:description: Connect Notion to C1 with per-user OAuth or an internal integration secret, then register the Notion MCP server and govern its tools.
og:description: Connect Notion to C1 through the Notion API or Notion's own hosted MCP server, then register the server and govern its tools.
sidebarTitle: Notion
---

{/* Editor Refresh: 2026-06-11 */}
{/* Editor Refresh: 2026-07-16 */}

<Note>
**Activation required.** AI access management must be enabled for your tenant before you can use it. To get started, [contact the C1 support team](mailto:support@c1.ai) for a walkthrough.

Check warning on line 12 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L12

Did you really mean 'walkthrough'?
</Note>

The Notion MCP server lets you govern access to Notion — pages, databases, blocks, comments, and users — as tools your AI clients can call through C1.
C1 can govern Notion access two ways. Both let your AI clients read from and act on Notion through governed MCP tools, but they come from different places and appear as two separate entries in your MCP server catalog:

Notion supports two ways to authenticate, and you choose one when you register the server:
- **Notion (native MCP)** — listed as plain **Notion** in your catalog. C1 registers Notion's own hosted MCP server (`mcp.notion.com`) as a downstream server C1 governs. Authentication is always per-user OAuth using dynamic client registration (DCR) — Notion's hosted MCP server doesn't support a bearer token or API key, so there's no integration to create in Notion first. Tool calls run with the connected user's full Notion permissions, plus whatever connected sources (Slack, Google Drive, GitHub, Jira, Microsoft Teams, SharePoint, OneDrive, Linear) their Notion AI connectors expose.

Check warning on line 17 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L17

Did you really mean 'Jira'?
- **Notion API** — C1 hosts its own MCP server that translates Notion's REST API into tools. You choose between per-user OAuth or a shared internal integration secret (a bearer token), and you scope access with the **capabilities** you grant the Notion integration (read/update/insert content, comments, user information).

- **Per-user OAuth** (recommended). Each person authorizes with their own Notion account, so every tool call runs under that user's Notion identity and permissions.
- **Internal integration secret**. A single token authenticates everyone, so all tool calls reach Notion as one shared identity.
| | Notion (native MCP) | Notion API |
| :--- | :--- | :--- |
| **Who hosts the MCP server** | Notion | C1 |
| **Authentication** | Per-user OAuth with dynamic client registration (DCR) only — no bearer token or API key option | Per-user OAuth, or a shared internal integration secret (bearer token) |
| **Access scoping** | The connected user's full Notion permissions — not independently scoped | The Notion **capabilities** you configure on the integration |
| **Tool surface** | Notion's own tool set: cross-source search, page and database creation/editing, page duplication, database views, comments, teamspaces, and users | Pages, databases, blocks, comments, users, and search, mapped to Notion API endpoints |

Check warning on line 25 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L25

Did you really mean 'teamspaces'?
| **Setup effort** | Register in C1 and authorize — nothing to create in Notion first | Create a Notion integration (public or internal) first, then register it in C1 |

For a deeper comparison of shared versus per-user credentials, see [Configure authentication](/product/admin/mcp-servers#configure-authentication).
Use the native **Notion MCP** option (listed as plain **Notion** in your catalog) if you want Notion's own broader, agentic tool set — including cross-source search — and per-user OAuth is acceptable for your tenant. Use **Notion API** if you need a shared service-account credential (bearer token), or you want to scope access with Notion's capability toggles.

Check warning on line 28 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L28

Did you really mean 'agentic'?

<Tabs>

<Tab title="Notion MCP">

C1 registers as a client of Notion's own hosted MCP server ([Notion MCP](https://www.notion.com/help/notion-mcp)) rather than translating Notion's REST API itself. Your users' AI clients still only ever see C1-governed MCP tools, but C1 proxies each tool call straight through to `mcp.notion.com` under the connected user's authorized session, then returns the result. The tools available are exactly the ones Notion's own MCP server exposes — C1 doesn't reshape or add to them.

## Before you begin

- AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management).
- Nothing to create in Notion ahead of time. This option only supports per-user OAuth with dynamic client registration — Notion's hosted MCP server doesn't offer a bearer token or API key mode, so there's no client ID, secret, or integration to register. Each user just needs a Notion account with access to the workspace.
- To search and read from connected sources (Slack, Google Drive, GitHub, Jira, Microsoft Teams, SharePoint, OneDrive, Linear) through Notion MCP, users need those connectors set up on the Notion side. See Notion's [Notion MCP](https://www.notion.com/help/notion-mcp) documentation.

Check warning on line 40 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L40

Did you really mean 'Jira'?

<Note>
In your MCP server catalog, this option is listed as **Notion** — distinct from the **Notion API** entry, which connects through C1's own MCP server. If you don't see either, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant.
</Note>

## Set up per-user OAuth

Per-user OAuth with dynamic client registration (DCR) is the only authentication method this option supports — there's no bearer token or API key fallback. Each user authorizes individually, and C1 registers itself with Notion's authorization server automatically, so there's no app to create in Notion first (see Notion's [Connecting to Notion MCP](https://developers.notion.com/guides/mcp/get-started-with-mcp) documentation).

<Steps>
<Step>
Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion** from the catalog.
</Step>
<Step>
When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **OAuth2 — per-user passthrough** and enable **Use dynamic client registration**. There's no client ID or secret to enter.
</Step>
<Step>
Save your changes. The first time a user calls a Notion tool from their AI client, they're redirected to Notion to sign in (if they aren't already) and approve the connection, then returned to C1.
</Step>
</Steps>

## What access is granted

Unlike the Notion API option, there are no separate capability toggles to configure. Once a user authorizes, tool calls run with that user's full Notion permissions — they can access everything the user can already access in Notion, including pages, databases, and comments, plus any connected sources their Notion AI connectors expose ([Notion MCP](https://www.notion.com/help/notion-mcp)).

## How Notion MCP credentials are shared

## How C1 connects to Notion
This option only supports per-user OAuth — there's no shared, service-account, or bearer-token mode. Every tool call runs under the calling user's own Notion identity, and Notion attributes each action to that individual. C1 still attributes each call to the individual user in the [AI tool usage audit log](/product/admin/audit-ai-tool-usage).

## Discover and govern tools

After you register the server, C1 runs tool discovery against Notion's MCP server. Discovered tools appear on the server's **Tools** tab and include Notion's own search and fetch tools, page and database creation and editing, page duplication, comments, teamspaces, users, and database views.

Check warning on line 72 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L72

Did you really mean 'teamspaces'?

Each tool starts as either **Pending review** or automatically **Approved**, depending on the option chosen when the server was set up or your tenant's default tool settings in **AI** > **MCP** > **Settings**. See [Require tool approval](/product/admin/enable-ai-access-management#require-tool-approval) and [Default tool classification](/product/admin/enable-ai-access-management#default-tool-classification).

Before anyone can call a Notion tool, it must be approved, added to a toolset, and bound to an access profile. Continue to [Govern tools and toolsets](/product/admin/tools-and-toolsets) to set this up.

Check warning on line 76 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L76

Did you really mean 'toolset'?

<Note>
Tool discovery runs even if authentication isn't complete yet, so seeing discovered tools doesn't confirm a user has authorized. You confirm access when an approved user successfully calls a Notion tool from their AI client.
</Note>

## Manage access to Notion MCP

Because this option uses per-user OAuth, there's no shared secret in C1 to rotate. Users and admins manage access from Notion itself:

- **An individual user can disconnect at any time.** In Notion, go to **Settings** > **Connections**, select the connection, open the **•••** menu, and choose **Disconnect the connection** ([Add and manage connections](https://www.notion.com/help/add-and-manage-connections-with-the-api)).
- **An Enterprise workspace owner can revoke access for one user or everyone.** In Notion, go to **Settings** > **Connections** > **Manage**, open the **•••** menu next to the connection, then choose **Revoke specific users' access to a connection** or **Disconnect all users** ([Enterprise connection settings](https://www.notion.com/help/enterprise-connection-settings)). Disconnecting all users revokes every external AI tool and MCP client connected through Notion MCP at once; affected users must re-authenticate to reconnect.

</Tab>

<Tab title="Notion API">

C1 hosts the Notion MCP server, so your users' AI clients only ever see MCP tools — they never call Notion directly. When an AI client calls one of these tools, C1 makes the matching request to the Notion API using the credentials you configure here, then returns the result to the AI client.

The credentials you set up below are what C1 uses to call Notion on your users' behalf.
Notion supports two ways to authenticate, and you choose one when you register the server:

- **Per-user OAuth** (recommended). Each person authorizes with their own Notion account, so every tool call runs under that user's Notion identity and permissions.
- **Internal integration secret**. A single bearer token authenticates everyone, so all tool calls reach Notion as one shared identity.

For a deeper comparison of shared versus per-user credentials, see [Configure authentication](/product/admin/mcp-servers#configure-authentication).

## Before you begin

Expand All @@ -34,16 +106,14 @@
- For an internal integration secret, you need to be a **Workspace Owner** of the Notion workspace.

<Note>
If you don't see **Notion** in your MCP server catalog, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant.
In your MCP server catalog, this option is listed as **Notion API** — distinct from the **Notion** entry, which connects to Notion's own hosted MCP server. If you don't see either, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant.
</Note>

## Option 1: Set up per-user OAuth

With per-user OAuth, you register one Notion public integration and each user authorizes individually. This keeps every action attributable to the user who took it, with only the access that user already has in Notion.

### Create a Notion public integration

Create a public integration in Notion that users will authorize through.
First, create a public integration in Notion that users will authorize through:

<Steps>
<Step>
Expand All @@ -67,13 +137,11 @@
</Step>
</Steps>

### Register the server with OAuth

With your public integration ready, register the server and provide its credentials to C1.
With your public integration ready, register the server and provide its credentials to C1:

<Steps>
<Step>
Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion** from the catalog.
Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion API** from the catalog.
</Step>
<Step>
When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your integration's **client ID** and **client secret**.
Expand All @@ -87,9 +155,7 @@

An internal integration secret authenticates every user as one shared Notion identity. Use this when per-user attribution in Notion isn't required.

### Create an internal integration

Create an internal integration in Notion and connect it to the pages C1 should reach.
First, create an internal integration in Notion and connect it to the pages C1 should reach:

<Steps>
<Step>
Expand All @@ -111,13 +177,11 @@

For a shared production setup, create the integration from a dedicated service-account user so activity is attributable to C1 rather than a person.

### Register the server with a secret

With your internal integration secret ready, register the server and provide it to C1.
With your internal integration secret ready, register the server and provide it to C1:

<Steps>
<Step>
Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion** from the catalog.
Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion API** from the catalog.
</Step>
<Step>
When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **Bearer token** and paste your internal integration secret.
Expand All @@ -127,7 +191,7 @@
</Step>
</Steps>

## How Notion credentials are shared
## How Notion API credentials are shared

How Notion sees your users' activity depends on the method you chose:

Expand All @@ -142,14 +206,18 @@

Each tool starts as either **Pending review** or automatically **Approved**, depending on the option chosen when the server was set up or your tenant's default tool settings in **AI** > **MCP** > **Settings**. See [Require tool approval](/product/admin/enable-ai-access-management#require-tool-approval) and [Default tool classification](/product/admin/enable-ai-access-management#default-tool-classification).

Before anyone can call a Notion tool, it must be approved, added to a toolset, and bound to an access profile. Continue to [Govern tools and toolsets](/product/admin/tools-and-toolsets) to set this up.

Check warning on line 209 in product/admin/mcp-server/notion.mdx

View check run for this annotation

Mintlify / Mintlify Validation (conductorone) - vale-spellcheck

product/admin/mcp-server/notion.mdx#L209

Did you really mean 'toolset'?

<Note>
Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn't confirm that authentication is working. You confirm your Notion credentials when an approved user successfully calls a Notion tool from their AI client.
</Note>

## Manage your Notion credentials
## Manage your Notion API credentials

- **Rotate the OAuth client secret** on your public integration's **Configuration** tab in Notion, then update the secret on the server's authentication settings in C1.
- **Rotate the internal integration secret** by regenerating it on the integration's **Configuration** tab in Notion and updating it in C1.
- **Adjust access** by editing the integration's capabilities, and for an internal integration, the set of pages it's connected to.

</Tab>

</Tabs>