Skip to main content
The Notion SDK supports OAuth 2.0 for public integrations, allowing users to authorize your application to access their Notion workspace. The SDK provides three OAuth methods on the client.oauth namespace:
  • client.oauth.token() - Exchange authorization codes for access tokens
  • client.oauth.introspect() - Validate and inspect tokens
  • client.oauth.revoke() - Revoke access tokens

OAuth Flow Overview

  1. Redirect user to Notion’s authorization URL
  2. User approves your integration
  3. Notion redirects back with an authorization code
  4. Exchange code for access token using oauth.token()
  5. Store tokens securely
  6. Use access token to make API requests
  7. Refresh token when it expires

Setting Up OAuth

Prerequisites

  • Create a public integration at notion.so/my-integrations
  • Configure OAuth redirect URLs
  • Note your client_id and client_secret

Environment Variables

Step 1: Authorization URL

Redirect users to Notion’s authorization URL:

Step 2: Exchange Code for Token

After the user authorizes, Notion redirects back with a code parameter. Exchange it for an access token using oauth.token():

token() Method Signature

Authorization Code Grant

Token Response

The OauthTokenResponse includes:

Using the Access Token

Once you have the access token, use it to create an authenticated client:

Step 3: Refresh Token

When an access token expires, use the refresh token to get a new one:

Refresh Token Grant

Always store tokens securely. Never commit them to version control or expose them in client-side code.

Introspecting Tokens

Use oauth.introspect() to validate and inspect a token:

introspect() Method Signature

Example

Introspect Response

Revoking Tokens

Revoke a token when a user disconnects your integration:

revoke() Method Signature

Example

Revoke Response

After revoking a token, it can no longer be used to make API requests. The user will need to re-authorize your integration.

Complete OAuth Example

Here’s a complete Express.js example:

Best Practices

Always include a random state parameter in the authorization URL and verify it in the callback to prevent CSRF attacks:
  • Never store tokens in localStorage or cookies accessible to JavaScript
  • Use encrypted database storage
  • Consider using environment variables for development only
  • Rotate tokens regularly
Implement automatic token refresh when API requests fail with authentication errors:
  • Explain what permissions your app needs
  • Show which workspace will be connected
  • Provide a way to disconnect/revoke access

Error Handling

Handle OAuth errors appropriately:

Additional Resources

Notion OAuth Documentation

Official Notion OAuth guide

OAuth 2.0 Specification

Learn more about OAuth 2.0