lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Notion

Notion Labssaas4 credentials

Credentials4 documented
01

Personal Access Token

notion / personal-access-token

Notion personal access tokens authenticate API requests as the user who created the token. Notion documents PATs as bearer tokens and shows them stored in NOTION_API_KEY with an ntn_ example prefix.

user definedsecrettoken

Looks like

example
example

Notion API token prefix shown in Notion API-key handling docs

ntn_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
NOTION_API_KEY, NOTION_TOKEN
http header
Authorization

Bearer token used for Notion API requests

config file

.env files, Notion SDK config, deployment manifests, and local examples

secret store

cloud secret managers, hosted app settings, and CI/CD variables

source code

scripts, examples, notebooks, and committed integration code

logs

HTTP client debug output, CI traces, and stack traces that include headers

Notes

A PAT acts as the creator and can access the same Notion content that the creator can access, subject to workspace policy and token permissions.

02

Internal Connection Installation Access Token

notion / internal-connection-token

Notion internal connections use a static installation access token to authenticate REST API requests. Notion documents that the connection sends the same token in every API request.

generated on installsecrettoken

Looks like

example
example

Notion API token prefix shown in Notion API-key handling docs

ntn_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
NOTION_API_KEY, NOTION_INTEGRATION_TOKEN, NOTION_TOKEN
http header
Authorization

Bearer token used for Notion API requests

config file

.env files, SDK configuration, Docker Compose files, and deployment manifests

secret store

production secret stores, CI/CD variables, and platform app settings

source code

Notion integrations, examples, tests, and committed local config

logs

API request logging, failed request traces, and CI output

Notes

Internal connection access belongs to the connection's bot user and persists independently of the workspace member who shared a page with it.

03

OAuth Access / Refresh Token

notion / oauth-access-refresh-token

Notion public connections use OAuth 2.0. Notion documents that the code exchange returns an access_token and refresh_token, and that the connection stores both tokens for future API requests and token refresh.

generated on installsecrettoken

Location

http response

OAuth token exchange responses containing access_token and refresh_token

http header
Authorization

Bearer access token used for Notion API requests

database

public connection installation token stores

config file

local OAuth examples, serialized token caches, and integration config

secret store

encrypted application secret stores and cloud secret managers

logs

OAuth callback logs, token exchange logs, and application debug traces

Notes

OAuth tokens represent delegated access granted through a public Notion connection. Blast radius depends on installation scope, selected pages, and the connection's capabilities.

04

OAuth Client Secret

notion / oauth-client-secret

Notion public connections have an OAuth client ID and OAuth client secret. Notion documents that the client ID identifies the connection and the client secret proves the connection is who it claims to be during code exchange for an access token.

generated on installsecretsecret value

Location

config file

OAuth backend config, .env files, deployment manifests, and SDK examples

environment
NOTION_CLIENT_ID, NOTION_CLIENT_SECRET
secret store

cloud secret managers, CI/CD variables, and hosted app settings

source code

accidentally committed public-connection examples and deployment scripts

logs

OAuth token exchange request dumps and failed authorization traces

Notes

The client ID is an identifier, but the client secret is confidential. Exposure can let an attacker impersonate the Notion public connection in OAuth token exchange flows.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.