I’m working on integrating Notion API into my web application using their public integration approach. The OAuth flow works fine, but I’m facing an issue with user identification.
After successful authentication, Notion returns this response:
response: {
token: 'secret_ABC123XYZ789DEF456GHI012JKL345MNO678PQR',
workspace_title: 'John\'s Workspace',
integration_id: '12abc345-6def-7890-abcd-ef1234567890'
}
The problem is that I need to associate this token with a specific user in my database using their email address. However, the API response doesn’t include any user identification like email or username. How can I properly link this access token to the correct user account in my system? What’s the best practice for handling this scenario?
Notion’s OAuth flow doesn’t identify users directly - it’s all about workspaces, not individuals. Here’s how I’d handle it: Set up a session system where users log in with their email first, then kick off the Notion OAuth. Store their session data temporarily and send them to Notion. When they come back, grab their session details to connect the token to their account. You could also use a state parameter with encrypted user info during OAuth - that way you’re not depending on Notion for user data.
yeah, notion’s oauth is workspace-focused instead of user-focused, which makes this tricky. i handled it by adding a pre-auth step where users enter their email before hitting notion’s oauth. i store a temp record with their email + a random uuid, pass that uuid in the state param, then match everything up when they return. works well, just remember to clean up those temp records.
You need to establish user context before starting the OAuth flow - don’t try to extract it from Notion’s response. I require users to authenticate in my app first, then maintain that auth state throughout the OAuth process. When users click to connect their Notion workspace, I generate a unique identifier tied to their session and include it in the OAuth state parameter. When Notion redirects back to your callback URL, you can grab the state parameter and match it against your user’s session. Another approach that worked well - store the user’s ID in a secure, signed cookie before the OAuth redirect, then read it back during the callback. Bottom line: make sure your app knows who the user is before they head off to Notion’s servers.