Notion MCP Server
Official MCP server for the Notion API, auto-generated from OpenAPI specification
Score Breakdown
Server Info
- Package
- @notionhq/notion-mcp-server
- Registry
- npm
- Repository
- makenotion/notion-mcp-server
- Maintainer
- NotionVendor
- Category
- Project Management
- Tags
- docsdatabasesproductivity
- Last Scanned
- 7 Apr 2026
Findings
3 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
Stdio-only transport via StdioServerTransport. Auth via NOTION_TOKEN env var (converted to Bearer header with Notion-Version header) or OPENAPI_MCP_HEADERS env var (raw JSON headers object). No HTTP transport in the server itself. No MCP OAuth implementation. The proxy.ts parseHeadersFromEnv() metho... For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
HIGHRequired fields missing on 3 write operations
Write tools without required field declarations: API-post-page, API-create-a-comment, API-create-a-data-source.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 0 of 22 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
Tools
22 total| Name | Description | Risk |
|---|---|---|
| API-get-user | Notion | Retrieve a user | read |
| API-get-users | Notion | List all users | read |
| API-get-self | Notion | Retrieve your token's bot user | read |
| API-post-search | Notion | Search by title | read |
| API-get-block-children | Notion | Retrieve block children | read |
| API-patch-block-children | Notion | Append block children | write |
| API-retrieve-a-block | Notion | Retrieve a block | read |
| API-update-a-block | Notion | Update a block | write |
| API-delete-a-block | Notion | Delete a block | admin |
| API-retrieve-a-page | Notion | Retrieve a page | read |
| API-patch-page | Notion | Update page properties | write |
| API-post-page | Notion | Create a page | write |
| API-retrieve-a-page-property | Notion | Retrieve a page property item | read |
| API-retrieve-a-comment | Notion | Retrieve comments | read |
| API-create-a-comment | Notion | Create comment | write |
| API-query-data-source | Notion | Query a data source | read |
| API-retrieve-a-data-source | Notion | Retrieve a data source | read |
| API-update-a-data-source | Notion | Update a data source | write |
| API-create-a-data-source | Notion | Create a data source | write |
| API-list-data-source-templates | Notion | List templates in a data source | read |
| API-retrieve-a-database | Notion | Retrieve a database | read |
| API-move-page | Notion | Move a page | write |
Deploy Notion MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow