Notifications
Clear all
Topic starter
06/06/2026 2:19 am
TL;DR: Applications can fetch Notion pages with a refreshed access token while WorkOS Pipes handles OAuth flow, token storage, and refresh logic, reducing the integration burden for B2B apps that need user context from Notion without building credential plumbing themselves, according to WorkOS. The identity lesson is that delegation convenience does not remove governance responsibility.
NHIMG editorial — based on content published by WorkOS: Fetch Notion pages without OAuth using WorkOS Pipes
By the numbers:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
Questions worth separating out
Q: How should security teams govern third-party access when OAuth is abstracted away by a broker?
A: They should treat the broker as part of the trust chain, not as a convenience layer outside governance.
Q: Why do page-level permissions matter for Notion-connected applications?
A: Because a successful connection does not imply full workspace visibility.
Q: What breaks when token refresh and revocation are treated as background plumbing?
A: The application loses the ability to distinguish between a temporary expiry, a user-driven disconnect, and a provider-side reauthorization requirement.
Practitioner guidance
- Inventory delegated token brokers as identity control points Record every integration where the application requests a usable access token from an intermediary service.
- Design for page-level consent, not workspace assumptions Update onboarding, help text, and support flows so users understand that shared content is limited to the pages or databases they explicitly selected.
- Classify refresh and revocation failures separately Treat expired access, removed consent, and provider-side reauthorization as different conditions in logs and alerts.
What's in the full article
WorkOS's full tutorial covers the operational detail this post intentionally leaves for the source:
- The exact Node and React code needed to wire the Pipes widget into an Express app without hand-building the OAuth redirect flow.
- The WorkOS dashboard steps for configuring Notion capabilities, shared credentials, and allowed origins for local development.
- The backend pattern for requesting a fresh access token and calling the Notion search API with the returned credential.
- The tutorial's handling of reconnect conditions when the token expires, is revoked, or requires reauthorization.
👉 Read WorkOS's tutorial on fetching Notion pages without building OAuth →
Notion page access without OAuth: what changes for IAM teams?
Explore further
06/06/2026 3:56 am
Delegation convenience has not removed token governance. WorkOS Pipes changes where OAuth complexity lives, but it does not change the underlying identity problem: a third-party token still exists, still authorises access, and still needs lifecycle control. The field should stop treating integration abstraction as governance abstraction. The practitioner implication is that token brokering services belong in the same control map as any other delegated access path.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
A question worth separating out:
Q: How do IAM teams know whether a delegated Notion connection is still valid?
A: They need telemetry for token issuance, refresh, disconnect, and reauthorization events tied to the user and integration record. If those signals are missing, the team cannot prove whether access is current, revoked, or merely dormant. Validity in delegated access is a lifecycle question, not just an API response.
👉 Read our full editorial: WorkOS Pipes shifts Notion access from OAuth plumbing to token use
