Managing Notion MCP Auth: DCR, Expiring Clients, and Token Tracking
2026-03-18 · 6 min read
Connecting Notion to Claude or ChatGPT is one of the most powerful things you can do with AI. Your chat tool gets access to all of your Notion pages as context, and you can port the results of conversations straight back into Notion — turning chat into action by updating your content quickly and easily. The problem is that Claude and ChatGPT are notoriously bad at keeping your Notion connection alive. You end up logging back in daily, sometimes more often, which kills the flow. This post explains why that happens and how to fix it.
// Notion is different
Most MCP-compatible services give you a choice: connect via OAuth or use a static API key. GitHub has personal access tokens. Atlassian has API tokens. Todoist has app tokens. If OAuth breaks, you have a fallback.
Notion does not give you that choice. Notion only supports OAuth. There is no API key, no personal access token, no alternative. If your OAuth connection breaks, you are locked out until you re-authenticate.
That alone makes Notion one of the trickier MCP integrations to keep alive. But there is another layer that makes it uniquely challenging.
// what is Dynamic Client Registration?
Most OAuth providers use static client registration. You go to a developer portal, create an app, and get a permanent client ID and client secret. Those credentials never change. Every user who authenticates through your app uses the same client ID.
Notion does not support static registration for MCP. Instead, it uses Dynamic Client Registration (DCR) — a protocol defined in RFC 7591.
Here is how DCR works at a high level:
1. The MCP client requests a new client
Your MCP proxy sends a POST to Notion's registration endpoint with metadata about itself (name, redirect URIs, etc.).
2. Notion issues a temporary client ID
Notion responds with a fresh client_id and client_secret. These are unique to this registration and have a limited lifespan.
3. OAuth proceeds as normal
The user authorizes the app using the new client ID. Notion issues access and refresh tokens tied to that specific client registration.
4. The user is connected
Everything works — until the DCR client expires.
This is fundamentally different from static registration. With static registration, your client ID lives forever. With DCR, Notion can (and does) expire your client registration after a short period.
// the expiration problem
Here is where it gets interesting. When a DCR client registration expires, the client ID can no longer be used to authenticate new users. You cannot start a new OAuth flow with an expired client ID.
But — and this is the critical detail — the access tokens and refresh tokens that were issued under that client ID remain valid.
This means:
- Existing connections keep working. If you already have an access token from a now-expired client ID, you can still use it to call the Notion API.
- Refresh tokens still work. You can still exchange a refresh token for a new access token, as long as you use the original client ID that issued it.
- New connections need a new client. To authorize a new user, you need to register a brand new DCR client with Notion.
On the surface, this seems manageable. In practice, it creates a tracking problem that most AI chat tools do not handle. This may be why connections between ChatGPT/Claude and Notion break all the time, forcing you to log in again.
// the tracking problem
Consider a proxy that manages Notion connections for multiple users over time. Every time it needs to authorize a new user, it might register a new DCR client (because the old one expired). Now it has:
- Client ID A (expired) — issued tokens for User 1 and User 2
- Client ID B (expired) — issued tokens for User 3
- Client ID C (active) — issued tokens for User 4
When User 1's access token expires and needs to be refreshed, the proxy must use Client ID A — not Client ID C. Even though Client ID A is "expired" from a registration standpoint, it is still the only client ID that Notion will accept for refreshing User 1's tokens.
If the proxy mistakenly uses the latest client ID (C) with User 1's refresh token, the refresh will fail. Notion rejects the request because there is a mismatch between the client that issued the token and the client trying to refresh it.
This means the proxy needs to:
- Record which DCR client ID was used when each user's tokens were originally issued.
- Store that client ID alongside the tokens for every connection.
- Use the original client ID (not the latest one) when refreshing tokens for that connection.
Get any of this wrong and the connection silently breaks. The user sees an auth error and has to reconnect from scratch — which means the proxy registers yet another new DCR client, and the cycle continues.
// how Bindify handles it
Bindify tracks the DCR client ID that was used to issue each connection's tokens. When it is time to refresh an access token, Bindify looks up the original client credentials for that specific connection — not the most recent registration.
This is all transparent to you. You authenticate once, get your permanent URL, and Bindify handles the rest:
You connect Notion through Bindify
Bindify registers a DCR client, runs the OAuth flow, and stores everything together.
The DCR client expires
Does not matter. Bindify still has the original client ID stored with your tokens.
Your access token expires
Bindify refreshes it using the correct client ID. No mismatch. No failure.
Your connection stays alive
Weeks, months — as long as the refresh tokens remain valid, Bindify keeps you connected.
Your tokens are encrypted with a key derived from your secret URL. Bindify never stores the decryption key. Even if Bindify were compromised, your Notion tokens would be unreadable.
// ongoing stability testing
We are currently running a month-long case study to measure exactly how stable Bindify connections are over time.
The setup:
- 46 connections across every combination of supported services and connection settings.
- Automated requests hitting each MCP server daily, weekly, and monthly — each polling frequency gets its own connection URL.
- Notion connections included — multiple configurations to test DCR token longevity under different usage patterns.
The goal is to produce hard evidence for whether Bindify connections remain stable for an entire month, even with varying levels of use. Early results are promising — Notion connections that were set up at the start of the study are still working without any re-authentication.
We will publish the full results when the study concludes. Follow the blog for updates.
// the takeaway
Notion's auth is uniquely challenging because of DCR. Client registrations expire, but tokens outlive them — and refreshing those tokens requires the exact client ID that issued them. Claude, ChatGPT, and most simple proxies do not track this correctly.
If you are using Notion through Claude or ChatGPT connections and keep hitting authentication errors, this is likely why. The fix is not to keep re-authenticating. The fix is to use an auth layer that understands how DCR works and tracks the relationship between clients and tokens.
Pairing Notion with your AI chat tool can be incredibly powerful, but needing to log back in constantly takes you out of the flow. Using an auth layer like Bindify removes the re-login headache so you can focus on what makes the pairing valuable — seamless access to your pages and the ability to push results straight back into Notion.
24-hour free trial. No credit card required.