From 14452107de281ec0d2cf48bad118cdac500518df Mon Sep 17 00:00:00 2001 From: Muhammad Kumail Date: Fri, 17 Jul 2026 00:43:41 +0000 Subject: [PATCH 1/2] Add a Notion MCP tab alongside Notion API on the Notion setup page Notion ships its own hosted MCP server in addition to the REST API C1 already wraps. Add a "Notion MCP" tab (native hosted server, per-user OAuth with dynamic client registration only) next to the existing "Notion API" tab (REST-API-backed, per-user OAuth or a shared internal integration secret), with Notion MCP as the default tab and a comparison table up top explaining how the two differ (hosting, auth, access scoping, tool surface, setup effort). Co-authored-by: c1-squire-dev[bot] --- product/admin/mcp-server/notion.mdx | 130 +++++++++++++++++++++------- 1 file changed, 99 insertions(+), 31 deletions(-) diff --git a/product/admin/mcp-server/notion.mdx b/product/admin/mcp-server/notion.mdx index 0d8133e8..ef5c389b 100644 --- a/product/admin/mcp-server/notion.mdx +++ b/product/admin/mcp-server/notion.mdx @@ -1,49 +1,119 @@ --- title: Set up the Notion MCP server -description: Connect Notion to C1 with per-user OAuth or an internal integration secret, then register the Notion MCP server and govern its tools. +description: Connect Notion to C1 through the Notion API or Notion's own hosted MCP server, then register the server and govern its tools. og:title: Set up the Notion MCP server -og:description: Connect Notion to C1 with per-user OAuth or an internal integration secret, then register the Notion MCP server and govern its tools. +og:description: Connect Notion to C1 through the Notion API or Notion's own hosted MCP server, then register the server and govern its tools. sidebarTitle: Notion --- -{/* Editor Refresh: 2026-06-11 */} +{/* Editor Refresh: 2026-07-16 */} **Activation required.** AI access management must be enabled for your tenant before you can use it. To get started, [contact the C1 support team](mailto:support@c1.ai) for a walkthrough. -The Notion MCP server lets you govern access to Notion — pages, databases, blocks, comments, and users — as tools your AI clients can call through C1. +C1 can govern Notion access two ways. Both let your AI clients read from and act on Notion through governed MCP tools, but they come from different places and appear as two separate entries in your MCP server catalog: -Notion supports two ways to authenticate, and you choose one when you register the server: +- **Notion (native MCP)** — listed as plain **Notion** in your catalog. C1 registers Notion's own hosted MCP server (`mcp.notion.com`) as a downstream server C1 governs. Authentication is always per-user OAuth using dynamic client registration (DCR) — Notion's hosted MCP server doesn't support a bearer token or API key, so there's no integration to create in Notion first. Tool calls run with the connected user's full Notion permissions, plus whatever connected sources (Slack, Google Drive, GitHub, Jira, Microsoft Teams, SharePoint, OneDrive, Linear) their Notion AI connectors expose. +- **Notion API** — C1 hosts its own MCP server that translates Notion's REST API into tools. You choose between per-user OAuth or a shared internal integration secret (a bearer token), and you scope access with the **capabilities** you grant the Notion integration (read/update/insert content, comments, user information). -- **Per-user OAuth** (recommended). Each person authorizes with their own Notion account, so every tool call runs under that user's Notion identity and permissions. -- **Internal integration secret**. A single token authenticates everyone, so all tool calls reach Notion as one shared identity. +| | Notion (native MCP) | Notion API | +| :--- | :--- | :--- | +| **Who hosts the MCP server** | Notion | C1 | +| **Authentication** | Per-user OAuth with dynamic client registration (DCR) only — no bearer token or API key option | Per-user OAuth, or a shared internal integration secret (bearer token) | +| **Access scoping** | The connected user's full Notion permissions — not independently scoped | The Notion **capabilities** you configure on the integration | +| **Tool surface** | Notion's own tool set: cross-source search, page and database creation/editing, page duplication, database views, comments, teamspaces, and users | Pages, databases, blocks, comments, users, and search, mapped to Notion API endpoints | +| **Setup effort** | Register in C1 and authorize — nothing to create in Notion first | Create a Notion integration (public or internal) first, then register it in C1 | -For a deeper comparison of shared versus per-user credentials, see [Configure authentication](/product/admin/mcp-servers#configure-authentication). +Use the native **Notion MCP** option (listed as plain **Notion** in your catalog) if you want Notion's own broader, agentic tool set — including cross-source search — and per-user OAuth is acceptable for your tenant. Use **Notion API** if you need a shared service-account credential (bearer token), or you want to scope access with Notion's capability toggles. + + + + + +C1 registers as a client of Notion's own hosted MCP server ([Notion MCP](https://www.notion.com/help/notion-mcp)) rather than translating Notion's REST API itself. Your users' AI clients still only ever see C1-governed MCP tools, but C1 proxies each tool call straight through to `mcp.notion.com` under the connected user's authorized session, then returns the result. The tools available are exactly the ones Notion's own MCP server exposes — C1 doesn't reshape or add to them. + +**Before you begin** + +- AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management). +- Nothing to create in Notion ahead of time. This option only supports per-user OAuth with dynamic client registration — Notion's hosted MCP server doesn't offer a bearer token or API key mode, so there's no client ID, secret, or integration to register. Each user just needs a Notion account with access to the workspace. +- To search and read from connected sources (Slack, Google Drive, GitHub, Jira, Microsoft Teams, SharePoint, OneDrive, Linear) through Notion MCP, users need those connectors set up on the Notion side. See Notion's [Notion MCP](https://www.notion.com/help/notion-mcp) documentation. + + +In your MCP server catalog, this option is listed as **Notion** — distinct from the **Notion API** entry, which connects through C1's own MCP server. If you don't see either, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant. + + +**Set up per-user OAuth** + +Per-user OAuth with dynamic client registration (DCR) is the only authentication method this option supports — there's no bearer token or API key fallback. Each user authorizes individually, and C1 registers itself with Notion's authorization server automatically, so there's no app to create in Notion first (see Notion's [Connecting to Notion MCP](https://developers.notion.com/guides/mcp/get-started-with-mcp) documentation). + + + +Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion** from the catalog. + + +When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **OAuth2 — per-user passthrough** and enable **Use dynamic client registration**. There's no client ID or secret to enter. + + +Save your changes. The first time a user calls a Notion tool from their AI client, they're redirected to Notion to sign in (if they aren't already) and approve the connection, then returned to C1. + + + +**What access is granted** + +Unlike the Notion API option, there are no separate capability toggles to configure. Once a user authorizes, tool calls run with that user's full Notion permissions — they can access everything the user can already access in Notion, including pages, databases, and comments, plus any connected sources their Notion AI connectors expose ([Notion MCP](https://www.notion.com/help/notion-mcp)). + +**How Notion MCP credentials are shared** -## How C1 connects to Notion +This option only supports per-user OAuth — there's no shared, service-account, or bearer-token mode. Every tool call runs under the calling user's own Notion identity, and Notion attributes each action to that individual. C1 still attributes each call to the individual user in the [AI tool usage audit log](/product/admin/audit-ai-tool-usage). + +**Discover and govern tools** + +After you register the server, C1 runs tool discovery against Notion's MCP server. Discovered tools appear on the server's **Tools** tab and include Notion's own search and fetch tools, page and database creation and editing, page duplication, comments, teamspaces, users, and database views. + +Each tool starts as either **Pending review** or automatically **Approved**, depending on the option chosen when the server was set up or your tenant's default tool settings in **AI** > **MCP** > **Settings**. See [Require tool approval](/product/admin/enable-ai-access-management#require-tool-approval) and [Default tool classification](/product/admin/enable-ai-access-management#default-tool-classification). + +Before anyone can call a Notion tool, it must be approved, added to a toolset, and bound to an access profile. Continue to [Govern tools and toolsets](/product/admin/tools-and-toolsets) to set this up. + + +Tool discovery runs even if authentication isn't complete yet, so seeing discovered tools doesn't confirm a user has authorized. You confirm access when an approved user successfully calls a Notion tool from their AI client. + + +**Manage access to Notion MCP** + +Because this option uses per-user OAuth, there's no shared secret in C1 to rotate. Users and admins manage access from Notion itself: + +- **An individual user can disconnect at any time.** In Notion, go to **Settings** > **Connections**, select the connection, open the **•••** menu, and choose **Disconnect the connection** ([Add and manage connections](https://www.notion.com/help/add-and-manage-connections-with-the-api)). +- **An Enterprise workspace owner can revoke access for one user or everyone.** In Notion, go to **Settings** > **Connections** > **Manage**, open the **•••** menu next to the connection, then choose **Revoke specific users' access to a connection** or **Disconnect all users** ([Enterprise connection settings](https://www.notion.com/help/enterprise-connection-settings)). Disconnecting all users revokes every external AI tool and MCP client connected through Notion MCP at once; affected users must re-authenticate to reconnect. + + + + C1 hosts the Notion MCP server, so your users' AI clients only ever see MCP tools — they never call Notion directly. When an AI client calls one of these tools, C1 makes the matching request to the Notion API using the credentials you configure here, then returns the result to the AI client. -The credentials you set up below are what C1 uses to call Notion on your users' behalf. +Notion supports two ways to authenticate, and you choose one when you register the server: + +- **Per-user OAuth** (recommended). Each person authorizes with their own Notion account, so every tool call runs under that user's Notion identity and permissions. +- **Internal integration secret**. A single bearer token authenticates everyone, so all tool calls reach Notion as one shared identity. -## Before you begin +For a deeper comparison of shared versus per-user credentials, see [Configure authentication](/product/admin/mcp-servers#configure-authentication). + +**Before you begin** - AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management). - For per-user OAuth, you need permission to create a public integration. See Notion's [Create integrations with the Notion API](https://www.notion.com/help/create-integrations-with-the-notion-api) documentation. - For an internal integration secret, you need to be a **Workspace Owner** of the Notion workspace. -If you don't see **Notion** in your MCP server catalog, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant. +In your MCP server catalog, this option is listed as **Notion API** — distinct from the **Notion** entry, which connects to Notion's own hosted MCP server. If you don't see either, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant. -## Option 1: Set up per-user OAuth +**Option 1: Set up per-user OAuth** With per-user OAuth, you register one Notion public integration and each user authorizes individually. This keeps every action attributable to the user who took it, with only the access that user already has in Notion. -### Create a Notion public integration - -Create a public integration in Notion that users will authorize through. +First, create a public integration in Notion that users will authorize through: @@ -67,13 +137,11 @@ Copy the integration's **Client ID** and **Client Secret**. -### Register the server with OAuth - -With your public integration ready, register the server and provide its credentials to C1. +With your public integration ready, register the server and provide its credentials to C1: -Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion** from the catalog. +Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion API** from the catalog. When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose per-user OAuth and enter your integration's **client ID** and **client secret**. @@ -83,13 +151,11 @@ Save your changes. The first time a user calls a Notion tool from their AI clien -## Option 2: Use an internal integration secret +**Option 2: Use an internal integration secret** An internal integration secret authenticates every user as one shared Notion identity. Use this when per-user attribution in Notion isn't required. -### Create an internal integration - -Create an internal integration in Notion and connect it to the pages C1 should reach. +First, create an internal integration in Notion and connect it to the pages C1 should reach: @@ -111,13 +177,11 @@ Connect the integration to the pages it should reach. An internal integration se For a shared production setup, create the integration from a dedicated service-account user so activity is attributable to C1 rather than a person. -### Register the server with a secret - -With your internal integration secret ready, register the server and provide it to C1. +With your internal integration secret ready, register the server and provide it to C1: -Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion** from the catalog. +Follow [Register an MCP server](/product/admin/mcp-servers#register-an-mcp-server) and select **Notion API** from the catalog. When you [configure authentication](/product/admin/mcp-servers#configure-authentication), choose **Bearer token** and paste your internal integration secret. @@ -127,7 +191,7 @@ Save your changes. C1 starts a sync that discovers the tools the Notion server e -## How Notion credentials are shared +**How Notion API credentials are shared** How Notion sees your users' activity depends on the method you chose: @@ -136,7 +200,7 @@ How Notion sees your users' activity depends on the method you chose: For how shared and per-user credentials work across MCP servers, see [Configure authentication](/product/admin/mcp-servers#configure-authentication). -## Discover and govern tools +**Discover and govern tools** After you register the server, C1 runs tool discovery against Notion. Discovered tools appear on the server's **Tools** tab. @@ -148,8 +212,12 @@ Before anyone can call a Notion tool, it must be approved, added to a toolset, a Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn't confirm that authentication is working. You confirm your Notion credentials when an approved user successfully calls a Notion tool from their AI client. -## Manage your Notion credentials +**Manage your Notion API credentials** - **Rotate the OAuth client secret** on your public integration's **Configuration** tab in Notion, then update the secret on the server's authentication settings in C1. - **Rotate the internal integration secret** by regenerating it on the integration's **Configuration** tab in Notion and updating it in C1. - **Adjust access** by editing the integration's capabilities, and for an internal integration, the set of pages it's connected to. + + + + From 707a49672ed6d906ee54d380074349b1fa418828 Mon Sep 17 00:00:00 2001 From: Melinda Moreland Date: Fri, 17 Jul 2026 14:56:20 -0700 Subject: [PATCH 2/2] docs: restore real headings in Notion MCP tabs The PR demoted section headings (Before you begin, Set up per-user OAuth, Discover and govern tools, etc.) to bold text when moving content into blocks. Restore them as ## headings, consistent with how other Tab-based connector pages in this repo structure headings (e.g. baton/1password.mdx), and so Mintlify's page outline and heading anchors keep working. Co-Authored-By: Claude Sonnet 4.6 --- product/admin/mcp-server/notion.mdx | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/product/admin/mcp-server/notion.mdx b/product/admin/mcp-server/notion.mdx index ef5c389b..a49e9952 100644 --- a/product/admin/mcp-server/notion.mdx +++ b/product/admin/mcp-server/notion.mdx @@ -33,7 +33,7 @@ Use the native **Notion MCP** option (listed as plain **Notion** in your catalog C1 registers as a client of Notion's own hosted MCP server ([Notion MCP](https://www.notion.com/help/notion-mcp)) rather than translating Notion's REST API itself. Your users' AI clients still only ever see C1-governed MCP tools, but C1 proxies each tool call straight through to `mcp.notion.com` under the connected user's authorized session, then returns the result. The tools available are exactly the ones Notion's own MCP server exposes — C1 doesn't reshape or add to them. -**Before you begin** +## Before you begin - AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management). - Nothing to create in Notion ahead of time. This option only supports per-user OAuth with dynamic client registration — Notion's hosted MCP server doesn't offer a bearer token or API key mode, so there's no client ID, secret, or integration to register. Each user just needs a Notion account with access to the workspace. @@ -43,7 +43,7 @@ C1 registers as a client of Notion's own hosted MCP server ([Notion MCP](https:/ In your MCP server catalog, this option is listed as **Notion** — distinct from the **Notion API** entry, which connects through C1's own MCP server. If you don't see either, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant. -**Set up per-user OAuth** +## Set up per-user OAuth Per-user OAuth with dynamic client registration (DCR) is the only authentication method this option supports — there's no bearer token or API key fallback. Each user authorizes individually, and C1 registers itself with Notion's authorization server automatically, so there's no app to create in Notion first (see Notion's [Connecting to Notion MCP](https://developers.notion.com/guides/mcp/get-started-with-mcp) documentation). @@ -59,15 +59,15 @@ Save your changes. The first time a user calls a Notion tool from their AI clien -**What access is granted** +## What access is granted Unlike the Notion API option, there are no separate capability toggles to configure. Once a user authorizes, tool calls run with that user's full Notion permissions — they can access everything the user can already access in Notion, including pages, databases, and comments, plus any connected sources their Notion AI connectors expose ([Notion MCP](https://www.notion.com/help/notion-mcp)). -**How Notion MCP credentials are shared** +## How Notion MCP credentials are shared This option only supports per-user OAuth — there's no shared, service-account, or bearer-token mode. Every tool call runs under the calling user's own Notion identity, and Notion attributes each action to that individual. C1 still attributes each call to the individual user in the [AI tool usage audit log](/product/admin/audit-ai-tool-usage). -**Discover and govern tools** +## Discover and govern tools After you register the server, C1 runs tool discovery against Notion's MCP server. Discovered tools appear on the server's **Tools** tab and include Notion's own search and fetch tools, page and database creation and editing, page duplication, comments, teamspaces, users, and database views. @@ -79,7 +79,7 @@ Before anyone can call a Notion tool, it must be approved, added to a toolset, a Tool discovery runs even if authentication isn't complete yet, so seeing discovered tools doesn't confirm a user has authorized. You confirm access when an approved user successfully calls a Notion tool from their AI client. -**Manage access to Notion MCP** +## Manage access to Notion MCP Because this option uses per-user OAuth, there's no shared secret in C1 to rotate. Users and admins manage access from Notion itself: @@ -99,7 +99,7 @@ Notion supports two ways to authenticate, and you choose one when you register t For a deeper comparison of shared versus per-user credentials, see [Configure authentication](/product/admin/mcp-servers#configure-authentication). -**Before you begin** +## Before you begin - AI access management must be enabled for your tenant. See [Enable AI access management](/product/admin/enable-ai-access-management). - For per-user OAuth, you need permission to create a public integration. See Notion's [Create integrations with the Notion API](https://www.notion.com/help/create-integrations-with-the-notion-api) documentation. @@ -109,7 +109,7 @@ For a deeper comparison of shared versus per-user credentials, see [Configure au In your MCP server catalog, this option is listed as **Notion API** — distinct from the **Notion** entry, which connects to Notion's own hosted MCP server. If you don't see either, [contact the C1 support team](mailto:support@c1.ai) to enable it for your tenant. -**Option 1: Set up per-user OAuth** +## Option 1: Set up per-user OAuth With per-user OAuth, you register one Notion public integration and each user authorizes individually. This keeps every action attributable to the user who took it, with only the access that user already has in Notion. @@ -151,7 +151,7 @@ Save your changes. The first time a user calls a Notion tool from their AI clien -**Option 2: Use an internal integration secret** +## Option 2: Use an internal integration secret An internal integration secret authenticates every user as one shared Notion identity. Use this when per-user attribution in Notion isn't required. @@ -191,7 +191,7 @@ Save your changes. C1 starts a sync that discovers the tools the Notion server e -**How Notion API credentials are shared** +## How Notion API credentials are shared How Notion sees your users' activity depends on the method you chose: @@ -200,7 +200,7 @@ How Notion sees your users' activity depends on the method you chose: For how shared and per-user credentials work across MCP servers, see [Configure authentication](/product/admin/mcp-servers#configure-authentication). -**Discover and govern tools** +## Discover and govern tools After you register the server, C1 runs tool discovery against Notion. Discovered tools appear on the server's **Tools** tab. @@ -212,7 +212,7 @@ Before anyone can call a Notion tool, it must be approved, added to a toolset, a Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn't confirm that authentication is working. You confirm your Notion credentials when an approved user successfully calls a Notion tool from their AI client. -**Manage your Notion API credentials** +## Manage your Notion API credentials - **Rotate the OAuth client secret** on your public integration's **Configuration** tab in Notion, then update the secret on the server's authentication settings in C1. - **Rotate the internal integration secret** by regenerating it on the integration's **Configuration** tab in Notion and updating it in C1.