Showing content from https://developers.notion.com/docs/best-practices-for-handling-api-keys below:
Best Practices for Handling API Keys
API keys are powerful credentials that provide access to your Notion workspace through our Public API. If these keys fall into the wrong hands, they can pose serious security risks to your integrations, data and workspace.
When your Notion API key is exposed, malicious actors could potentially:
- Access sensitive data: Read all pages, databases, and content in your workspace
- Modify or delete content: Make unauthorized changes to your workspace data
- Export your data: Download and steal your intellectual property
- Perform actions on your behalf: Create, update, or delete pages and databases
- Access user information: View workspace members and their permissions
The scope of access depends on the permissions granted to the integration that owns the API key, but even limited access can be dangerous in the wrong hands.
- Keep your API key private: Treat your API key like your personal password—don’t share it with anyone. If others need access, they should request their own key.
- Never post your key publicly: Avoid sharing your API key in public spaces such as forums, emails, or support tickets, with the Notion support team.
- Be careful with third-party tools: Uploading your API key to external services will provide your key to those services. Only share your key with trusted services. Always store your API key as an encrypted secret when working with third-party platforms. Never put your key directly into code or configuration files - use environment variables!
Never hardcode API keys directly in your source code. Instead, use environment variables:
# .env file (never commit this file)
NOTION_API_KEY=ntn_abc123def456ghi789jkl012mno345pqr
// In your code
const notion = new Client({
auth: process.env.NOTION_API_KEY,
});
- Add
.env files to your .gitignore to prevent accidental commits
- Use different API keys for development, staging, and production environments
- Store production keys in secure secret management systems like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault
Use tools like GitLeaks, Detect Secrets, or Trufflehog to automatically detect and prevent the commitment of sensitive information like API keys to your repositories. These tools can:
- Scan your codebase for potential secrets before commits
- Integrate with CI/CD pipelines for continuous scanning
- Alert developers when secrets are accidentally committed
- Rotate API keys on a schedule and set calendar reminders to do so
- Immediately rotate keys when team members with access leave
- Keep an inventory of all API keys and their purposes
If you suspect that your API key may be compromised, we recommend taking action immediately:
- Log into your Notion account
- Go to Settings & members → Connections → Develop or manage integrations
- Find the integration with the compromised key
- Click “Refresh” on your integration
Rotate the compromised key by clicking Refresh in your integrations page at https://www.notion.so/profile/integrations update your applications with your new key.
Click Refresh to rotate the API key for a new one
- Check your workspace for any suspicious activity
- Review recent changes to pages and databases
- Look for any unauthorized integrations in Settings & members → Connections
- Replace the old API key in all your applications and environments
- Test that your integrations are working with the new key
- Remove the old key from any configuration files or documentation
If you need assistance with API key security or suspect unauthorized access, contact Notion support at [email protected]
Updated 5 days ago
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4