Notion
Notion Labssaas4 credentials
Personal Access Token
notion / personal-access-token
Notion personal access tokens authenticate API requests as the user who created the token. Notion documents PATs as bearer tokens and shows them stored in NOTION_API_KEY with an ntn_ example prefix.
Looks like
examplentn_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
NOTION_API_KEY, NOTION_TOKENAuthorizationBearer token used for Notion API requests
.env files, Notion SDK config, deployment manifests, and local examples
cloud secret managers, hosted app settings, and CI/CD variables
scripts, examples, notebooks, and committed integration code
HTTP client debug output, CI traces, and stack traces that include headers
Notes
A PAT acts as the creator and can access the same Notion content that the creator can access, subject to workspace policy and token permissions.
Internal Connection Installation Access Token
notion / internal-connection-token
Notion internal connections use a static installation access token to authenticate REST API requests. Notion documents that the connection sends the same token in every API request.
Looks like
examplentn_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
NOTION_API_KEY, NOTION_INTEGRATION_TOKEN, NOTION_TOKENAuthorizationBearer token used for Notion API requests
.env files, SDK configuration, Docker Compose files, and deployment manifests
production secret stores, CI/CD variables, and platform app settings
Notion integrations, examples, tests, and committed local config
API request logging, failed request traces, and CI output
Notes
Internal connection access belongs to the connection's bot user and persists independently of the workspace member who shared a page with it.
OAuth Access / Refresh Token
notion / oauth-access-refresh-token
Notion public connections use OAuth 2.0. Notion documents that the code exchange returns an access_token and refresh_token, and that the connection stores both tokens for future API requests and token refresh.
Location
OAuth token exchange responses containing access_token and refresh_token
AuthorizationBearer access token used for Notion API requests
public connection installation token stores
local OAuth examples, serialized token caches, and integration config
encrypted application secret stores and cloud secret managers
OAuth callback logs, token exchange logs, and application debug traces
Notes
OAuth tokens represent delegated access granted through a public Notion connection. Blast radius depends on installation scope, selected pages, and the connection's capabilities.
OAuth Client Secret
notion / oauth-client-secret
Notion public connections have an OAuth client ID and OAuth client secret. Notion documents that the client ID identifies the connection and the client secret proves the connection is who it claims to be during code exchange for an access token.
Location
OAuth backend config, .env files, deployment manifests, and SDK examples
NOTION_CLIENT_ID, NOTION_CLIENT_SECRETcloud secret managers, CI/CD variables, and hosted app settings
accidentally committed public-connection examples and deployment scripts
OAuth token exchange request dumps and failed authorization traces
Notes
The client ID is an identifier, but the client secret is confidential. Exposure can let an attacker impersonate the Notion public connection in OAuth token exchange flows.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.