Notion Token
Detects Notion integration tokens in both live formats: the current ntn_ prefix (issued to all new integrations since 25 September 2024) and, when labelled with Notion context, the legacy secret_ prefix (existing tokens remain valid indefinitely). A leaked integration token grants API access to every page and database the integration has been connected to.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the ntn_ format is multiply attested -- Notion's own developer changelog announced the prefix change (25 September 2024, explicitly for secret-scanner compatibility), Notion is a GitHub secret-scanning partner with push protection enabled, and gitleaks and Kingfisher independently pin the identical body structure (11 digits + 35 alphanumerics). The legacy secret_ format is pinned at 43 alphanumerics by TruffleHog and confirmed by GitGuardian's v1/v2 detector split; it is deliberately context-gated because its prefix is a generic English word that appears inside longer identifiers. Notion itself warns that token formats may change and recommends treating tokens as opaque -- reflected in the bounded, evidence-pinned regexes and the corroborative keyword requirement at the recommended confidence tier.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_-])ntn_[0-9]{11}[A-Za-z0-9]{35}(?![A-Za-z0-9_-])
Corroborative evidence keywords
notion, notion.so, NOTION_TOKEN, NOTION_API_KEY, integration token, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host (+38 more)
Proximity: 300 characters
Should match
ntn_12345678901ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghi— Notion integration token, current ntn_ format (11-digit segment + 35 alphanumerics)NOTION_TOKEN=ntn_98765432109abcdefghijklmnopqrstuvwxyzABCDEFGHI— Labelled ntn_ token in an env assignmentnotion integration token: secret_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq— Legacy secret_ token (43 alphanumerics) with a preceding Notion label (context-gated branch)NOTION_API_KEY=secret_zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJ— Legacy secret_ token in the canonical env-var assignment (label supplied by the variable name)Notion token "secret_0123456789012345678901234567890123456789012"— Legacy secret_ token quoted in prose after a Notion label
Should not match
ntn_1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijk— Digit segment too short (10 digits, not 11)secret_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq— Bare legacy-format value with no Notion label anywhere ("secret_" alone is too generic to fire value-only)notion workspace uses client_secret_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq— secret_ embedded inside a longer identifier (client_secret_...) must not fire even with a Notion label presentthe notion integration token was rotated yesterday— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Identifier fragments like client_secret_... or secret_key_... near the word "notion" in source code or documentation. Mitigation: The legacy branch requires a non-identifier character immediately before secret_ (enforced by lookbehind) and exactly 43 alphanumerics followed by a boundary, which composite identifiers essentially never satisfy.
- The common English word "notion" appearing in unrelated prose near an unrelated token. Mitigation: The brand-name keyword term is case-sensitive (Notion, capitalised) and unambiguous terms (notion.so, NOTION_TOKEN) disambiguate; the ntn_ branch does not depend on the word at all.
- Notion advises against regex-identifying its tokens because formats may change; future format revisions may not be matched. Mitigation: Documented as a known scope limitation; both currently-issued formats are pinned to multiply-attested structures and the pattern will need a version bump if Notion changes formats again.
References
- Notion developer changelog (ntn_ prefix replaces secret_ from 2024-09-25; legacy tokens keep working; advises against regex validation)
- gitleaks.toml notion-api-token rule (ntn_[0-9]{11}[A-Za-z0-9]{32}[A-Za-z0-9]{3})
- Kingfisher production Notion rules (ntn_ value-only 11+35; legacy secret_ context-gated on a notion label)
- TruffleHog production Notion detector (legacy secret_[A-Za-z0-9]{43})
- Supported secret scanning patterns - GitHub Docs (Notion API Token, partner + push protection)