← All tools

@notionhq/notion-mcp-server

MCP

Official MCP server for Notion API

v2.1.0 MIT Tested 8 Feb 2026
7.5

Dimension scores

Security 7.0
Reliability 7.0
Agent usability 7.0
Compatibility 9.0
Code health 8.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK File upload operations require special handling - multipart/form-data may need adapter layer, SSE transport supported but requires --transport http flag, not default
LangChain May require wrapper to handle FormData file uploads in LangChain context

Security findings

MEDIUM

Sensitive authentication token logged to console in plain text

MEDIUM

Environment variable parsing from OPENAPI_MCP_HEADERS allows arbitrary header injection

MEDIUM

File path validation insufficient - potential path traversal

MEDIUM

Recursive JSON deserialization without depth limit

MEDIUM

Error messages may leak internal implementation details

Reliability

Success rate

78%

Calls made

100

Avg latency

450ms

P95 latency

1200ms

Failure modes

  • Missing operationId in OpenAPI spec causes unhandled error (line 156 http-client.ts)
  • File upload with invalid path throws generic error but operation continues (http-client.ts:101-107)
  • Empty string parameters not validated, passed through to API causing potential 400s
  • Double-serialized JSON parameters from MCP clients require deserialization workaround (proxy.ts:28-54)
  • No timeout protection on HTTP operations - can hang indefinitely on slow/unresponsive APIs
  • Concurrent requests have no rate limiting or connection pooling - risk of resource exhaustion
  • FormData file streams not properly closed on error paths (http-client.ts:100-107)
  • Missing null/undefined checks for optional OpenAPI spec fields (parser would need review)
  • Authorization middleware returns void, relies on Express error handling
  • Bearer token stored in plain memory, vulnerable to memory dumps

Code health

License

MIT

Has tests

Yes

Has CI

No

Dependencies

24

Well-structured TypeScript MCP server with good test coverage, comprehensive documentation, and proper TypeScript configuration. Code shows solid engineering practices including test files for core modules (http-client, parser, proxy), type safety with TypeScript/OpenAPI types, and clear separation of concerns. README is substantial (12KB) with setup instructions and images. Missing CI configuration and CHANGELOG are the main gaps. Dependencies include standard MCP SDK, Express for HTTP transport, and testing with Vitest. Code includes recent bug fixes (issue #176 for double-serialization) and thoughtful features like Node 18 polyfills. Docker support present. Overall a well-maintained, production-quality codebase with minor documentation gaps.

View source on GitHub →