PRODUCTIVITY

notion-mcp

Notion's official MCP server. Read and write pages, databases, blocks. Internal-integration-token authenticated. The 'agent that lives in your workspace docs' enabler.

Alive Recommended REVIEWED 2026-05-07
VERDICT

Default if your knowledge / docs / project tracking lives in Notion. Scope the integration to specific pages — Notion's permission model is page-tree-based and you should use that.

What it does

Read and write Notion. Tools cover search (full-text across shared pages), get_page, update_page, append_block_children, query_database, create_database_item, update_database_item. Auth is an Internal Integration Token from your Notion workspace.

When you actually need it

Notion is where many teams keep meeting notes, decision logs, OKRs, runbooks. An agent that can read those and write back is a strong fit for:

  1. Meeting summary → Notion page. Agent reads a transcript, drafts a summary, appends to your meeting-notes database.
  2. Question answered from your docs. Agent gets a question via Slack, searches the Notion knowledge base, drafts an answer with citations back to specific pages.
  3. Status update collation. Agent reads each team-member’s weekly update page, drafts a single roll-up, posts to a parent.

Setup

Create an Internal Integration at notion.so/profile/integrations. Pick the workspace, decide the capabilities (Read content, Update content, Insert content) — start with Read only, add the others when you genuinely need them. Copy the Internal Integration Token.

"notion": {
  "command": "npx",
  "args": ["-y", "@notionhq/notion-mcp-server"],
  "env": {
    "NOTION_INTEGRATION_TOKEN": "secret_…"
  }
}

Then in Notion, share specific pages with the integration. Walk the tree before you share — sharing a parent page shares every descendant.

The catch

The permission model is the safety lever. Use it. A common mistake: someone shares the workspace’s top-level “Company” page with the integration “to make it work” while developing — and that’s now the whole company knowledge base in the agent’s blast radius.

A better pattern: create a dedicated parent page like “Agent Workspace”, share that, and only put content the agent should access under it. If the agent needs to read the meeting-notes database, share the database explicitly — not the whole workspace.

The other catch is rate limits. Notion’s API is 3 requests per second. An agent doing block-level operations on a page (which can be 50+ blocks) hits the ceiling fast. The MCP server doesn’t queue or back-off — your agent will see HTTP 429s. Add a “use the search tool first to narrow before paginating” rule in the prompt.

▸ MCP SECURITY SCORECARD Methodology v1.0 · Confidence HIGH · Reviewed 2026-05-07 · Next review due 2026-08-07
METHODOLOGY ↗
ADOPT

FOR: Notion workspace operations where pages shared with the integration are scoped to a dedicated agent-workspace tree.

Use it. The page-level sharing model is genuinely strong — exploit it. Create a dedicated 'Agent Workspace' parent page and only put pages the agent should access under it. Add a rate-limit-aware rule in the prompt to avoid 429s.

Maintainer corp

Maintained by Notion's API team.

Licence MIT

Notion's open-source MCP server licence.

Code review yes

Maintained by Notion's API team.

Secrets handling scoped

Internal Integration Token via env. Server doesn't log it.

Sandbox process
Filesystem access none
Shell access no
Network egress allow-list

api.notion.com only.

OAuth handling scoped

Notion integrations support per-page sharing — the strongest safety lever. Walk the page tree before sharing parents.

Default permissions minimal

Until you share specific pages, the integration sees nothing. The model is opt-in by design.

Prompt-injection exposure high

Notion pages contain user-authored content — comments, embedded notes, callouts. Hostile content in any read result can attempt to redirect the agent. Treat all page content as untrusted text.

Supply chain surface low

MCP SDK + @notionhq/client (official Notion SDK).

Dep CVE surface clean
Rate-limit risk high

Notion's 3 RPS limit is the strictest of the common MCPs. Block-level ops on a single page can serialise into many calls; agents hit 429s easily.

Signed releases yes

npm package published with provenance attestations.

Security policy yes
Telemetry none

Notion's server-side request logs apply (governed by Notion's privacy policy).

Data residency cloud

Notion's cloud (US for most workspaces; EU for EU-region workspaces under Enterprise tier).

Credential storage memory
DESTRUCTIVE TOOLS

6 present · human approval optional

  • update_page
  • append_block_children
  • update_block
  • delete_block
  • create_database_item
  • update_database_item

NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't