Notion
Notion's official MCP for reading and writing pages, databases, and comments. Best-in-class for personal-knowledge-base agents.
A+
Safety & Trust
Delv Safety Grade: A+
Score 93/100 · assessed 2026-04-22
Maintainer95
Permissions85
Supply chain95
Transparency92
Incidents100
Notion's official MCP server is a first-party integration from a major SaaS vendor with strong operational track record. The package ships via npm with proper versioning and is maintained by Notion's developer team, giving it excellent supply-chain hygiene and low bus-factor risk. Permissions are scoped to Notion's API surface: reading and writing pages, databases, and comments within workspaces you explicitly authorise via API key. This is broader than read-only but appropriately scoped to Notion's domain. The main risk is that NOTION_API_KEY grants full workspace access, so a compromised key or malicious prompt could modify or delete significant amounts of data. However, this is inherent to Notion's API design rather than a flaw in the MCP implementation. Transparency is excellent with public repo, clear documentation, and active maintenance. No known security incidents.
Lethal Trifecta (prompt-injection exposure)
TRIFECTA RISKAll three axes present. This server can read private data, ingest attacker-controlled content, and send data outbound. A poisoned input (a GitHub issue, an email, a webpage) can exfiltrate secrets via this chain. Only install with auditing; avoid on shared or cloud agents.
Private dataYes
Reads secrets, credentials, private files
Untrusted inputYes
Ingests web pages, PRs, issues, emails
External commsYes
Can send data outbound
Shared pages can embed untrusted content. Database access is private. API supports writes.
Green flags
- Official first-party integration from established vendor
- Distributed via npm with semantic versioning
- Public GitHub repo with active maintenance and issue tracking
- Clear documentation on Notion developer portal
- Scoped to single service domain (Notion only)
Red flags
- API key grants full workspace access, not scoped to specific pages
- Write permissions include deletion via Notion API
- No built-in rate limiting visible in MCP layer
Permissions requested
Outbound networkAccess secretsDB readDB writeIdentity read
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.
Install
npx -y @notionhq/notion-mcp-server
Env vars needed:
NOTION_API_KEYReview
Notion's official MCP server does exactly what you'd hope: it lets Claude read, write, and comment on your Notion workspace without you copy-pasting markdown or wrestling with the API yourself. I've been using it to prototype a personal research assistant that pulls highlights from my reading database, cross-references them with project notes, and drafts synthesis documents directly into new pages. It works.
The big win is that it's first-party. Notion built this, so it tracks their API changes and handles pagination, block types, and database queries without the jank you'd expect from a community wrapper. You can ask Claude to "find all pages tagged 'client work' updated this week" or "add a comment to the standup doc with today's blockers," and it just does it. The server exposes tools for searching, creating pages, appending blocks, querying databases, and managing comments. That's the full surface area most agents need.
Quirks: it requires a Notion integration and API key, which means a bit of OAuth setup if you're not already familiar. The permissions model is Notion's, so you'll need to explicitly share databases and pages with the integration. That's sensible but easy to forget when Claude suddenly can't see a workspace you know exists. Also, this is read-write by default. If you're pointing an experimental agent at your life's work, test it in a sandbox workspace first. I learned this the expensive way with a draft that got overwritten mid-edit.
Who shouldn't bother: if you're just using Notion as a glorified Google Docs and never touch databases or properties, this is overkill. Same if you're already happy with Notion's built-in AI features and don't need a separate agent. But if you're building a personal knowledge system, running a small team wiki, or prototyping AI workflows that need structured data stores, this is the best-in-class option. It's what I'd reach for before rolling my own API client every time.
Verdict
Install this if you use Notion for anything more structured than a diary and want Claude to interact with it natively. Skip it if you're not already invested in Notion's ecosystem or if you need a read-only safety net. The first-party polish is worth the five-minute setup.
Good at
- First-party support means it tracks Notion's API changes and handles edge cases like nested blocks and database rollups correctly.
- Full read-write access to pages, databases, and comments gives agents real workspace agency, not just read-only context.
- Works across Claude Desktop, Cursor, Windsurf, and other MCP hosts without needing separate integrations.
- Handles pagination and complex queries internally, so you don't have to prompt around API limits.
- Notion's permissions model applies cleanly, so you can scope access per integration without exposing your entire workspace.
Watch out
- Requires manual OAuth setup and explicit sharing of databases with the integration, which adds friction if you're not already familiar with Notion's permissions.
- Write access is enabled by default, so a poorly prompted agent can overwrite or delete content without a safety net.
- Hosts beyond Claude Desktop often need manual config file edits rather than a GUI setup flow.
- No built-in versioning or undo at the MCP layer, so you're relying on Notion's page history if something goes wrong.
Getting started
1. Create a Notion integration at notion.so/my-integrations, copy the API key, and share the databases or pages you want the MCP to access with that integration.
2. Run `npx -y @notionhq/notion-mcp-server` to confirm it installs, then add it to your Claude Desktop config under `mcpServers` with `NOTION_API_KEY` set in the environment block.
3. Restart Claude Desktop and check the MCP icon in the bottom-right to verify the Notion server appears as connected.
4. Test it by asking Claude to list pages in a shared database or create a test page. If it can't see a workspace, double-check you've shared it with the integration.
5. Watch out for write permissions: this server can modify and delete content, so start with a non-critical workspace until you trust your prompts.
Works with
Claude DesktopClaude CodeCursorWindsurfClineZed
Similar MCPs
- AsanaOfficial Asana MCP. Access the Work Graph - tasks, projects, teams - from AI clients via OAuth. Remote server, Streamable HTTP transport, no local install needed.
- ClickUpOfficial ClickUp MCP - ~49 tools across 14 categories (tasks, docs, time tracking, chat, comments, bulk ops). The largest project-management surface area in any MCP server right now.
- LinearCreate, update, and query Linear issues from Claude. Useful for teams whose PM lives in Linear and want the agent to file tickets from conversation.
- Google CalendarSchedule, list, update events directly from Claude. Combine with Gmail MCP for an actual personal-assistant feel.