client.oauth namespace:
client.oauth.token()- Exchange authorization codes for access tokensclient.oauth.introspect()- Validate and inspect tokensclient.oauth.revoke()- Revoke access tokens
OAuth Flow Overview
- Redirect user to Notion’s authorization URL
- User approves your integration
- Notion redirects back with an authorization code
- Exchange code for access token using
oauth.token() - Store tokens securely
- Use access token to make API requests
- Refresh token when it expires
Setting Up OAuth
Prerequisites
- Create a public integration at notion.so/my-integrations
- Configure OAuth redirect URLs
- Note your
client_idandclient_secret
Environment Variables
Step 1: Authorization URL
Redirect users to Notion’s authorization URL:Step 2: Exchange Code for Token
After the user authorizes, Notion redirects back with acode parameter. Exchange it for an access token using oauth.token():
token() Method Signature
Authorization Code Grant
Token Response
TheOauthTokenResponse includes:
Using the Access Token
Once you have the access token, use it to create an authenticated client:Step 3: Refresh Token
When an access token expires, use the refresh token to get a new one:Refresh Token Grant
Introspecting Tokens
Useoauth.introspect() to validate and inspect a token:
introspect() Method Signature
Example
Introspect Response
Revoking Tokens
Revoke a token when a user disconnects your integration:revoke() Method Signature
Example
Revoke Response
After revoking a token, it can no longer be used to make API requests. The user will need to re-authorize your integration.
Complete OAuth Example
Here’s a complete Express.js example:Best Practices
Use state parameter for CSRF protection
Use state parameter for CSRF protection
Always include a random
state parameter in the authorization URL and verify it in the callback to prevent CSRF attacks:Store tokens securely
Store tokens securely
- Never store tokens in localStorage or cookies accessible to JavaScript
- Use encrypted database storage
- Consider using environment variables for development only
- Rotate tokens regularly
Handle token expiration gracefully
Handle token expiration gracefully
Implement automatic token refresh when API requests fail with authentication errors:
Error Handling
Handle OAuth errors appropriately:Additional Resources
Notion OAuth Documentation
Official Notion OAuth guide
OAuth 2.0 Specification
Learn more about OAuth 2.0