{"token_count": 2221} # Connect a Notion MCP Server to Teleport Teleport can provide secure access to MCP servers via Teleport Application Service. In this guide, you will: 1. Configure your Notion service for access by the MCP server. 2. Run the Notion MCP Server. 3. Enroll the MCP server into your Teleport cluster and connect to it. ## How it works The [Notion MCP server](https://github.com/makenotion/notion-mcp-server) uses an integration token to access Notion and runs on a local endpoint reachable by the Teleport Application Service. Teleport proxies all client requests to the server, which interacts with Notion using the permissions granted to the integration. ## Prerequisites - A running Teleport (v18.3.0 or higher) cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tsh` client. Installing `tsh` client 1. Determine the version of your Teleport cluster. The `tsh` client must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: **Mac/Linux** ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` **Windows - Powershell** ``` $ $TELEPORT_DOMAIN = "teleport.example.com:443" $ $TELEPORT_VERSION = (Invoke-RestMethod -Uri "https://${TELEPORT_DOMAIN}/v1/webapi/find").server_version ``` 2. Follow the instructions for your platform to install `tsh` client: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tsh` client: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v$TELEPORT_VERSION-windows-amd64-bin.zip Unzip the archive and move the `tsh` client to your %PATH% NOTE: Do not place the `tsh` client in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tsh` client. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation/single-machine.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * Access to your Notion workspace and sufficient privileges to manage integrations. * A host to run the MCP server that is reachable by the Teleport Application Service. * A running Teleport Application Service. If you have not yet done this, follow the [Getting Started guide](https://goteleport.com/docs/enroll-resources/mcp-access/getting-started.md). * A Teleport user with sufficient permissions (e.g. role `mcp-user`) to access MCP servers. * A Notion integration with permissions to read content. This requires manually setting up the integration in the Notion Web UI. Setting up a Notion integration 1. Go to and create a new **internal integration**. ![Notion integration](/docs/assets/images/notion-integration-c9dd48d5ede89b5713f9b40e177b7963.png) 2. Limit the scope available to LLMs: disable all permissions except "Read Content" in the "Capabilities" section. 3. Open the "Access" tab and select the pages you want the integration to be able to access. ![Notion access](/docs/assets/images/notion-access-74f4f87ae62612edaeb2d07717bf44b0.png) 4. Return to the "Configuration" tab, copy the "Internal Integration Secret" for use in the next step. ## Step 1/2. Run the Notion MCP server Start the Notion MCP server using your Notion integration token ntn\_your\_internal\_integration\_secret: ``` $ export NOTION_TOKEN=ntn_your_internal_integration_secret $ npx @notionhq/notion-mcp-server --transport http --port 8000 --auth-token teleport-local-connection ``` The MCP server listens on all network interfaces by default. Run it on a private network and ensure the hostname MCP\_HOST is reachable by the Teleport Application Service. The `--auth-token` value is the shared secret Teleport uses to authenticate to the MCP server. Since the MCP server is not publicly accessible, using a fixed value is acceptable. ## Step 2/2. Connect via Teleport You can register an MCP application in Teleport by defining it in your Teleport Application Service configuration, or by using dynamic registration with `tctl` or Terraform: **Static configuration** Replace MCP\_HOST with the host running the Notion MCP server: ``` app_service: enabled: "yes" apps: - name: "notion-mcp" uri: "mcp+http://MCP_HOST:8000/mcp" labels: env: dev service: notion ``` Restart the Application Service. **tctl** Create an `app` resource definition file named `app-notion-mcp.yaml`. Replace MCP\_HOST with the host running the Notion MCP server: ``` # app-notion-mcp.yaml kind: app version: v3 metadata: name: notion-mcp labels: env: dev service: notion spec: uri: "mcp+http://MCP_HOST:8000/mcp" ``` Create the `app` resource with: ``` $ tctl create -f app-notion-mcp.yaml ``` **Terraform** Create a `teleport_app` resource in terraform. Replace MCP\_HOST with the host running the Notion MCP server: ``` resource "teleport_app" "notion" { version = "v3" metadata = { name = "notion" labels = { "teleport.dev/origin" = "dynamic" "env" = "dev" "service" = "notion" } } spec = { uri = "mcp+http://MCP_HOST:8000/mcp" } } ``` Apply the configuration: ``` $ terraform apply ``` --- MCP ENDPOINT PATHS If the MCP endpoint includes a path such as `/mcp` or `/sse`, it can be included in the `uri`. For streamable-HTTP servers, Teleport uses the path in `uri` when an MCP client requests `/`. When the client requests a different path, Teleport forwards the request to that path instead of appending it to the path in `uri`. For example, if `uri` is `mcp+https://localhost:3000/mcp` and the MCP client requests `/.well-known/oauth-authorization-server`, Teleport forwards the request to `/.well-known/oauth-authorization-server`, not `/mcp/.well-known/oauth-authorization-server`. --- To grant access to the MCP server and all its tools, assign the preset `mcp-user` role to your Teleport user. Optionally, you can limit which MCP tools the user can access by adjusting the `mcp.tools` list in their role. For example: ``` kind: role version: v8 metadata: name: notion-mcp-readonly spec: allow: app_labels: 'service': 'notion' mcp: tools: - API-get-* - API-retrieve-* - API-post-database-query - API-post-search ``` Now wait until the application appears in `tsh mcp ls`, then configure your MCP clients to access the MCP server, for example: ``` $ tsh mcp config notion-mcp --client-config claude ``` After configuring your MCP client, you will find Notion-related tools from `teleport-mcp-notion-mcp`. You can now use these tools to interact with Notion via Teleport in your MCP clients: ![Notion Claude](/docs/assets/images/notion-claude-b9c48686e79dc0a59813d5cfb7b72f69.png) ## Next steps - Review [Enroll a Streamable-HTTP MCP Server](https://goteleport.com/docs/enroll-resources/mcp-access/enrolling-mcp-servers/streamable-http.md). - See the [dynamic registration](https://goteleport.com/docs/enroll-resources/mcp-access/dynamic-registration.md) guide. - Learn more about [notion-mcp-server](https://github.com/makenotion/notion-mcp-server). - Connect your [MCP clients](https://goteleport.com/docs/connect-your-client/model-context-protocol/mcp-access.md).