notion-security-basics

# Notion Security Basics ## Overview Security fundamentals for the Notion API: integration token management, internal vs public integration models, principle of least privilege for capabilities, page-level access auditing, token rotation, OAuth2 flows for public integrations, and webhook verification. All examples use `@notionhq/client` v2.x and target the `2022-06-28` API version. ## Prerequisites - Notion integration created at [notion.so/my-integrations](https://www.notion.so/my-integrations) - Node.js 18+ with `@notionhq/client` installed (`npm install @notionhq/client`) - Understanding of environment variables and `.env` file patterns - For public integrations: OAuth2 client ID and secret from the integration dashboard ## Instructions ### Step 1: Secure Token Storage and `.env` Management Integration tokens are secrets with the same sensitivity as database passwords. Notion tokens use the `ntn_` prefix (current) or `secret_` prefix (legacy). Both grant full access to every page shared with the integration. ```bash # .gitignore — add these patterns BEFORE creating .env .env .env.local .env.*.local .env.production .env.staging # .env.example — commit this template (no real values) NOTION_TOKEN=ntn_your_internal_integration_token_here NOTION_OAUTH_CLIENT_ID= NOTION_OAUTH_CLIENT_SECRET= NOTION_OAUTH_REDIRECT_URI=http://localhost:3000/auth/notion/callback ``` ```typescript import { Client } from '@notionhq/client'; // Always load tokens from environment — never har...