Skip to content

Reform Notion MCP guide for Kubernetes remote proxy support#1004

Open
danbarr wants to merge 2 commits into
mainfrom
notion-remote-mcp-guide
Open

Reform Notion MCP guide for Kubernetes remote proxy support#1004
danbarr wants to merge 2 commits into
mainfrom
notion-remote-mcp-guide

Conversation

@danbarr

@danbarr danbarr commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Description

The Kubernetes tab claimed the ToolHive operator doesn't support remote MCP servers with OAuth, which hasn't been true for a long time. Replaced the static-integration-key workaround with a verified MCPRemoteProxy + embedded authorization server setup.

Notion's remote MCP server only supports Dynamic Client Registration for third-party OAuth clients, so the guide walks through minting persistent credentials via DCR instead of a dashboard app. Two callouts cover gotchas found while verifying this end to end against a real cluster and a real Notion account: the issuer field must stay path-free, and the upstream redirectUri default computed from resourceUrl breaks once resourceUrl has a path.

Also updated the Overview, Recommended Practices, and Troubleshooting sections to reflect the embedded-auth-server session model instead of a bare pass-through, and pointed the "expose the proxy externally" reference at the more complete connect-clients.mdx guide instead of a thinner duplicate section.

Type of change

  • Documentation update
  • Bug fix (typo, broken link, etc.)

Related issues/PRs

N/A

Screenshots

N/A - no visual or sidebar changes.

Submitter checklist

Content and formatting

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

Reviewer checklist

Content

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

The K8s tab claimed the operator doesn't support remote MCP servers
with OAuth, which hasn't been true for a long time. Replace the
static-integration-key workaround with a verified MCPRemoteProxy +
embedded authorization server setup.

Notion's remote MCP server only supports Dynamic Client Registration
for third-party OAuth clients, so the guide walks through minting
persistent credentials via DCR instead of a dashboard app. Callouts
cover two gotchas found while verifying this end to end: the issuer
field must stay path-free, and the upstream redirectUri default
computed from resourceUrl breaks once resourceUrl has a path.
Copilot AI review requested due to automatic review settings July 1, 2026 17:03
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Jul 1, 2026 5:17pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Notion remote MCP server guide to correct Kubernetes guidance and document a working remote-proxy + embedded authorization server flow, including Dynamic Client Registration (DCR) for Notion’s OAuth client credentials.

Changes:

  • Replaces the prior “static integration key” Kubernetes workaround with an MCPRemoteProxy + MCPExternalAuthConfig (embedded auth server) setup.
  • Adds a DCR-based “mint persistent client credentials” step and expands Kubernetes-specific operational/troubleshooting guidance around sessions and OAuth flow debugging.
  • Updates recommended practices/troubleshooting to reflect the embedded-auth-server session model and points external exposure guidance at connect-clients.mdx.

Comment thread docs/toolhive/guides-mcp/notion-remote.mdx
Comment thread docs/toolhive/guides-mcp/notion-remote.mdx Outdated
Rephrase four spaced-hyphen sentence separators per the style guide.

Clarify why this guide sets redirectUri explicitly instead of relying
on the documented {resourceUrl}/oauth/callback default: that default
only works for a bare-host resourceUrl, and breaks once resourceUrl
has a path (as it does here), since the callback route is only ever
served at the host root. Cross-references the relevant auth-k8s.mdx
section instead of leaving the divergence unexplained.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants