Connect a Notion MCP Server to Teleport
Teleport can provide secure access to MCP servers via Teleport Application Service.
In this guide, you will:
- Configure your Notion service for access by the MCP server.
- Run the Notion MCP Server.
- Enroll the MCP server into your Teleport cluster and connect to it.
How it works
The Notion MCP server uses an integration token to access Notion and runs on a local endpoint reachable by the Teleport Application Service. Teleport proxies all client requests to the server, which interacts with Notion using the permissions granted to the integration.
Prerequisites
-
A running Teleport (v18.3.0 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tshclient.Installing
tshclient-
Determine the version of your Teleport cluster. The
tshclient must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at/v1/webapi/findand use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:TELEPORT_DOMAIN=teleport.example.com:443TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" -
Follow the instructions for your platform to install
tshclient:- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tshclient:curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkgIn Finder double-click the
pkgfile to begin installation.dangerUsing Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.
curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zipUnzip the archive and move the `tsh` client to your %PATH%
NOTE: Do not place the `tsh` client in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tshclient. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gztar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gzcd teleportsudo ./installTeleport binaries have been copied to /usr/local/bin
-
- Access to your Notion workspace and sufficient privileges to manage integrations.
- A host to run the MCP server that is reachable by the Teleport Application Service.
- A running Teleport Application Service. If you have not yet done this, follow the Getting Started guide.
- A Teleport user with sufficient permissions (e.g. role
mcp-user) to access MCP servers.
Step 1/3. Create an integration in Notion
Go to https://www.notion.so/profile/integrations and create a new internal integration.
To limit the scope available to LLMs, disable all permissions except "Read Content" in the "Capabilities" section.
Next, open "Access" tab and select the pages you want the integration to be able to access.
Finally, return to the "Configuration" tab, copy the "Internal Integration Secret" for use in the next step.
Step 2/3. Run the Notion MCP server
Start the Notion MCP server using your Notion integration token ntn_your_internal_integration_secret:
export NOTION_TOKEN=ntn_your_internal_integration_secretnpx @notionhq/notion-mcp-server --transport http --port 8000 --auth-token teleport-local-connection
The MCP server listens on all network interfaces by default. Run it on a private network and ensure the hostname localhost is reachable by the Teleport Application Service.
The --auth-token value is the shared secret Teleport uses to authenticate to
the MCP server. Since the MCP server is not publicly accessible, using a fixed
value is acceptable.
Step 3/3. Connect via Teleport
You can register an MCP application in Teleport by defining it in your Teleport
Application Service configuration, or by using dynamic registration with tctl
or Terraform:
- Static configuration
- tctl
- Terraform
Replace MCP_HOST with the host running the Notion MCP server:
app_service:
enabled: "yes"
apps:
- name: "notion-mcp"
uri: "mcp+http://MCP_HOST:8000/mcp"
labels:
env: dev
service: notion
Restart the Application Service.
Create an app resource definition file named app-notion-mcp.yaml. Replace
MCP_HOST with the host running the Notion MCP server:
# app-notion-mcp.yaml
kind: app
version: v3
metadata:
name: notion-mcp
labels:
env: dev
service: notion
spec:
uri: "mcp+http://MCP_HOST:8000/mcp"
Create the app resource with:
tctl create -f app-notion-app.yaml
Create a teleport_app resource in terraform. Replace MCP_HOST
with the host running the Notion MCP server:
resource "teleport_app" "grafana" {
version = "v3"
metadata = {
name = "grafana"
labels = {
"teleport.dev/origin" = "dynamic"
"env" = "dev"
"service" = "notion"
}
}
spec = {
uri = "mcp+http://MCP_HOST:8000/mcp"
}
}
Apply the configuration:
terraform apply
To grant access to the MCP server and all its tools, assign the preset
mcp-user role to your Teleport user.
Optionally, you can limit which MCP tools the user can access by adjusting the
mcp.tools list in their role. For example:
kind: role
version: v8
metadata:
name: notion-mcp-readonly
spec:
allow:
app_labels:
'service': 'notion'
mcp:
tools:
- API-get-*
- API-retrieve-*
- API-post-database-query
- API-post-search
Now wait until the application appears in tsh mcp ls, then configure your MCP
clients to access the MCP server, for example:
tsh mcp config notion-mcp --client-config claude
After configuring your MCP client, you will find Notion-related tools from
teleport-mcp-notion-mcp. You can now use these tools to interactive with
Notion via Teleport in your MCP clients:
Next steps
- Review Enroll a Streamable-HTTP MCP Server.
- See the dynamic registration guide.
- Learn more about notion-mcp-server.
- Connect your MCP clients.