Integration Tokens
Integration tokens are the simplest way to authenticate when building internal tools or private integrations.Getting an Integration Token
1
Create an integration
Visit Notion’s integration settings and create a new integration.
2
Copy your token
After creating the integration, copy the Internal Integration Token (starts with
secret_).3
Store securely
Store your token in an environment variable:
.env
Using an Integration Token
Pass your token to theClient constructor using the auth option:
Per-Request Authentication
You can also authenticate on a per-request basis, which is useful when working with multiple tokens:Request-level
auth parameters override the client-level auth option.OAuth Authentication
OAuth is required when building public integrations that need to access Notion workspaces on behalf of users.OAuth Flow Overview
1
User authorization
Redirect users to Notion’s authorization URL with your client ID.
2
Authorization code
Notion redirects back to your app with an authorization code.
3
Exchange for token
Exchange the authorization code for an access token using your client ID and secret.
4
Make API calls
Use the access token to make authenticated API requests.
Setting Up OAuth
First, configure your integration for OAuth in Notion’s integration settings:- Enable OAuth in your integration settings
- Add your Redirect URIs
- Note your Client ID and Client Secret
Exchanging Authorization Code for Token
After the user authorizes your integration, use theoauth.token() method to exchange the authorization code for an access token:
The
oauth.token() method requires both client_id and client_secret parameters. These are passed separately and used for Basic Authentication.Using OAuth Access Tokens
Once you have an access token, use it to authenticate API requests:OAuth Token Management
The SDK provides methods for managing OAuth tokens:Token Introspection
Inspect a token to check its validity and metadata:Token Revocation
Revoke an access token when it’s no longer needed:Authentication Headers
The SDK handles authentication headers automatically:Integration Token Authentication
When using an integration token or OAuth access token, the SDK adds:OAuth Client Authentication
For OAuth token endpoints (token, introspect, revoke), the SDK uses Basic Authentication:
You don’t need to manually construct these headers—the SDK handles them based on the authentication method you’re using.
Error Handling
Handle authentication errors using theAPIErrorCode enum:
Common Authentication Error Codes
Best Practices
Secure Storage
Store tokens in environment variables or secure secret management systems, never in source code.
Token Rotation
Regularly rotate integration tokens and implement token refresh for OAuth flows.
Minimal Permissions
Request only the permissions your integration needs to function.
Error Handling
Always handle authentication errors gracefully and provide clear user feedback.
Complete OAuth Example
Here’s a complete example of implementing OAuth in an Express.js application:Next Steps
Client Configuration
Explore advanced client configuration options
Error Handling
Learn comprehensive error handling techniques