> ## Documentation Index
> Fetch the complete documentation index at: https://developers.notion.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Building a link preview
> Follow this step-by-step guide to create your first link preview.
export const developerConnectionsUrl = "https://www.notion.so/developers/connections";
A Link Preview is a real-time excerpt of authenticated content that unfurls in Notion when an authenticated user pastes a supported link in their workspace.
Developers can build Link Preview connections to customize how links unfurl in Notion workspaces for domains they own.
This guide explains how to use the Notion Link Previews API to create Link Previews for your product. After you’ve read this guide, you’ll know how to:
To build a Link Preview connection, you must first request access to the Link Preview API. Fill out the [Link Preview request form](https://notionup.typeform.com/to/BXheLK4Z?typeform-source=developers.notion.com) before proceeding if you haven’t already.
## Requirements
* You’ve [requested and received access to the Link Previews API](https://notionup.typeform.com/to/BXheLK4Z?typeform-source=developers.notion.com).
* You own the domain that you’re using to create Link Previews. You’ll need to share a verification code from Notion with your domain host when you initialize the connection.
* Your application supports OAuth 2.0.
* You’ve read the [Link Previews overview](/guides/link-previews/introduction), so you have a good idea of what you’re building and how it works.
* You’ve read the [Authorization guide](/guides/get-started/authorization) and have familiarized yourself with Notion connections.
With those requirements met, read on!
To build a Link Preview connection, you must first request access to the Link Preview API. Fill out the [Link Preview request form](https://notionup.typeform.com/to/BXheLK4Z?typeform-source=developers.notion.com) before proceeding if you haven’t already.
## Create a public Notion connection
Link Preview connections are a type of public connection. To create a Link Preview connection, you must first create a public connection. Once the public connection is created, you can enable the link preview setting through the connection's settings.
To learn how to create a public connection, follow the [Authorization guide](/guides/get-started/authorization).
## Configure Link Preview settings in the Developer portal
This step will guide you through enabling link previews for your connection, as well as filling out the link preview connection forms found in your connection settings.
To start, navigate to the public connection you will be using for your link preview connection. It can be found in the Developer portal. If you have access to the Link Preview API, you will see a Link Preview section in the Configuration tab.
This page contains a toggle input to enable link previews for your connection. Switching it on will display the External Authorization Setup form that will you need to fill out and save.
Once the link preview toggle is turned on for the connection, you will need to fill out two forms in the following order:
1. The External Authorization Setup form.
2. The Unfurling Domain & Patterns form.
In the next section, we'll review how to fill out these forms.
**If you don't see `Enable link preview` as an option, then:**
* Make sure that you’ve [applied](https://notionup.typeform.com/to/BXheLK4Z?typeform-source=developers.notion.com) and received access to the Link Previews API.
* Confirm that you’re logged in to the Notion account that you used to request access.
* Reach out to **[developers@makenotion.com](mailto:developers@makenotion.com)** if you continue to have issues.
### 1. Fill out the External Authorization Setup form
The External Authorization Setup settings give Notion the information that it needs to let a user authenticate with your service when they paste a Link Preview enabled URL in Notion.
| Field | Description | Example value |
| :------------------------------------ | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------- |
| OAuth Authorize URL | The URL that Notion redirects the user to when they connect your connection to their account.
When Notion redirects to this URL, it passes a `code` as a query param in the request. Your connection trades the `code` for an `access_token` to make authenticated requests to the Link Previews APIs. | `https://.com/notion/authorize` |
| OAuth Token URL | The URL that responds to a Notion POST request with an `access_token` from your service.
Notion uses the `access_token` to make authenticated requests to your systems. | `https://.com/notion/token` |
| OAuth Client ID | The client ID that Notion uses in its requests to your Authorize and OAuth Token URLs. | `mRkZGFjM` |
| OAuth Client Secret | The client secret that Notion uses in its requests to the Authorize and Token URLs. | `ZGVmMjMz` |
| OAuth Scopes (optional) | An optional scopes string for Notion to send as a parameter in the request to your OAuth Authorize URL. | `unfurl`, `user_name` |
| Deleted Token Callback URL (optional) | A URL that Notion sends a DELETE request to when a user removes a Link Preview from a Notion page or disconnects your connection from their workspace, so that you can delete their tokens.
You can use the request body that Notion sends to look up the user and deactivate their associated `access_token`s from your service.
Whether or not you use a deleted token callback, Notion invalidates any Notion-side tokens corresponding to the user and the Link Preview that they delete. | `https://.com/notion/deletion` |
After you’ve filled out this information, click `"Submit ->"` to continue to Unfurling Domain & Patterns.
### 2. Fill out the Unfurling Domain & Patterns form
The Unfurling Domain & Patterns settings give Notion the information that it needs to recognize the URLs that you want to unfurl Link Previews.
| Field | Description | Example value |
| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------------------------------- |
| Unfurl Callback URL | The URL that shares data to be displayed in the Link Preview with Notion. Notion sends POST and DELETE requests to this URL when a user adds or deletes a Link Preview.
You can leave this blank as you set up OAuth and return to it once you’ve created your unfurl attributes. Refer to [Use the Unfurl Callback URL](#use-the-unfurl-callback-url) for details.
Must be an internet-accessible URL that can and should be protected by authentication. | `https://.com/unfurl` |
| Unfurl URL Domain | The root domain that maps to this connection.
After you add a domain, follow the prompts to verify your domain with Notion. | `.com` |
| URL matching and placeholder | The pattern that a URL must match in order to unfurl as a Link Preview.
You can provide multiple patterns for one connection. | Refer to the table below. |
The URL matching and placeholder field includes its own fields:
| Field | Description | Example value |
| :---------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Rule name | A name for the pattern. | `"item"` |
| Sample URLs | An example URL that matches the pattern and triggers a Link Preview. | `https://acme.com/items/23487` |
| Pattern | A Regex pattern that Notion can use to identify URLs that trigger Link Previews.
If the Regex pattern fails to match any sample URL, then an error prompt appears when you save settings. | `^(?https\:\/\/acme\.com)\/items\/(?\d+)$` |
| Unfurl Regex Attributes | An array of JSON objects. Each JSON object contains placeholders, populated from Regex capture groups, for a Link Preview’s unfurl attributes. Placeholders are displayed when a Link Preview is waiting for data to populate from your service.
You can leave this blank as you set up OAuth and return to it once you’ve created your unfurl attributes. | `[ { "id": "title", "name": "Title", "type": "inline", "inline": { "title": { "value": "Acme Item #$", "section": "title" } } }, { "id": "itemId", "name": "Item Id", "type": "inline", "inline": { "plain_text": { "value": "#$", "section": "identifier" } } }, { "id": "dev", "name": "Developer Name", "type": "inline", "inline": { "plain_text": { "value": "Acme Inc", "section": "secondary" } } } ]` |
After you've filled out the External Authorization Setup and Unfurling Domain & Patterns settings, click `"Submit ->"` to create the connection.
## Set up the authorization flow
There are two high-level parts to the auth flow for a Link Preview:
* **Your service authenticates with Notion.** Notion sends a `code` to your OAuth Authorize URL. Your connection exchanges this `code` for a Notion `access_token` that enables your service to make authenticated requests to the Link Previews APIs.
* **Notion authenticates with your service.** Your service responds to Notion’s request with a `code`. Notion exchanges this token for your service’s `access_token` via your OAuth Token URL. This allows Notion to embed the data from your service in Link Previews.
The tokens **need to be exchanged the first time** a user attempts to add your Link Preview enabled URL to a page. After the initial exchange, the Notion `access_token` is long-living and doesn’t need to be updated. If you prefer, Notion can also [support refresh tokens](#how-to-use-refresh-tokens-optional) and fetch new tokens from your service.
The auth flow begins when a user shares your Link Preview enabled URL in Notion. Notion recognizes the link and redirects to the OAuth Authorize URL that you provided in the connection settings.
Notion includes the following query params to kick off the OAuth flow with your service:
| Parameter | Description | Value |
| :----------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------- |
| `code` | A UUID that Notion generates to authenticate with your service. | `614846ff-b061-4eac-a511-fc20c3f0838a` (example value) |
| `redirect_uri` | A constant string. Your service redirects a user to this URL after they grant permission for it to access Notion.
To prevent attackers from providing arbitrary URIs, your service should validate that the redirect URI matches this value. | `https://notion.so/externalIntegrationAuthCallback` |
| `client_id` | The OAuth Client ID that you provided when you created the connection. | `mRkZGFjM` (example value) |
| `scope` (optional) | The OAuth Scopes value that you provided when you created the connection. | `unfurl`, `user_name` (example values) |
| `response_type` | A constant string. | `code` |
| `state` | A randomized string for security validation. | `tga@YNV9cfw4yrv0thw` (example value) |
Your implementation begins after Notion sends the request.
### 1. Provide OAuth form
Listen for requests to your OAuth Authorize URL. When you detect a request from Notion, present a UI that asks the user to allow the authentication process to continue.
For example, Slack shares the following interstitial when a user initiates a Link Preview from a Slack URL:
### 2. Authenticate with Notion’s `access_token`
In your connection implementation, retrieve the `code` that Notion sent when it called your OAuth Authorize URL. Then, send the `code` as part of a POST request to Notion’s token URL: `https://api.notion.com/v1/oauth/token`.
The Notion `code` is valid for 10 minutes. If the `code` expires, then an error is returned and you need to reinitiate the auth flow for Notion to authenticate with your service ([Step 1](#1-provide-oauth-form)).
To explore other possible errors, refer to the [OAuth 2.0 documentation](https://www.oauth.com/oauth2-servers/server-side-apps/possible-errors/). Default to re-initiating the auth flow to handle errors.
The request is authorized using HTTP Basic Authentication. The credential is a colon-delimited combination of the connection's `CLIENT_ID` and `CLIENT_SECRET`: `CLIENT_ID:CLIENT_SECRET`. You can find these values on the connection settings page. Find your connection, and click `View connection`.
Note that in [HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication), credentials are `base64` encoded before being added to the `Authorization` header. Notion also requires the word `Basic` before the `base64` encoded string. A complete code param looks something like the following:
`Basic NjQ5Mzc0OTIzNzQ5MjM4NDc5MjM4NDc5MjM0NzkyMzc0OjQ3Mzg5Mjc0OTIzODQ3Mjk0ODcyMzkzNDgyNzk0ODcyMzQ5`
For more information, read about HTTP Basic Authentication in our [Authorization guide](/guides/get-started/authorization#step-3-send-the-code-in-a-post-request-to-the-notion-api).
The body of the request contains the following JSON-encoded fields:
| Parameter | Description | Value |
| :----------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------- |
| `code` | A unique random code that Notion generates to authenticate with your service, generated when a user initiates the auth flow. | `"ABC"` (example value) |
| `grant_type` | A constant string. | `authorization_code` |
| `external_account` | Object with `key` and `name` properties.
`key` should be a unique identifier for the account. Notion uses the `key` to determine whether or not the user is re-connecting the same account.
`name` should be some way for the user to know which account they used to authenticate with your service. | Refer to the example below. |
The following example demonstrates an `external_account` object for `team@makenotion.com`, a Notion employee account, to authenticate with Slack to use a Slack Link Preview.
```json JSON theme={null}
{
"key": "A83823453409384",
"name": "Notion - team@makenotion.com"
}
```
The account `name` appears in the `"My connections"` settings page, where a user can review their authentications for your connection.
A complete POST request looks like the below:
```curl cURL theme={null}
curl --location --request POST 'https://api.notion.com/v1/oauth/token' \
--header 'Authorization: Basic '"$BASE64_ENCODED_ID_AND_SECRET"'' \
--header 'Content-Type: application/json' \
--header 'Notion-Version: 2026-03-11' \
--data '{
"grant_type": "authorization_code",
"code": "e202e8c9-0990-40af-855f-ff8f872b1ec6",
"external_account": {
"key": "A83823453409384",
"name": "Notion - team@makenotion.com"
}
}'
```
Notion responds to the request with a 200 OK and the following response body:
| Parameter | Description | Value |
| :----------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------------------------------------------------------------- |
| `access_token` | A unique random string that Notion generates, in exchange for the `code`. You can use the `access_token` to make authorized requests to the Notion API. | `"ABC"` (example value) |
| `bot_id` | A UUID representing this authorization. | `"3d592781-2dcc-4d4b-bcf3-776a2a7ad7b8"` (example value) |
| `duplicated_template_id` | Always `null` for Link Preview connections. Create a [standard public connection](/guides/get-started/overview#connection-types) to use template URLs with the API. | `null` |
| `owner` | An object indicating who owns the authorized workspace. | Refer to the [bot object](/reference/user#bots) documentation. |
| `token_type` | A constant string. | `"bearer"` |
| `workspace_id` | A UUID representing the ID of the Notion workspace where the authorization flow took place. | `"3d592781-2dcc-4d4b-bcf3-776a2a7ad7b8"` (example value) |
| `workspace_icon` | A URL to an image, or a string of characters, that identifies the workspace. This could be useful if you’d like to display this authorization in your service’s UI. | `"🍩"` |
| `workspace_name` | A string representing a human-readable name that can be used to display this authorization in your service’s UI. | `"My Team Workspace"` (example value) |
Store the Notion response, and associate it with the user who initiated the OAuth flow. Notion stores the token that you provided.
For tips on storing `access_token`s, check out [the auth guide](/guides/get-started/authorization#step-5-the-connection-stores-the-access_token-and-refresh_token-for-future-requests).
### 3. Redirect to the `redirect_uri` with `code`
When a user selects `"Allow"` to grant Notion the requested permissions, redirect to the `redirect_uri` , the constant string [`notion.so/externalIntegrationAuthCallback`](http://notion.so/externalIntegrationAuthCallback), with your service’s unique `code` and the `state` that Notion sent to your service when it initiated the auth flow.
When Notion receives the redirect, it sends a POST request to the OAuth Token URL that you provided with the following body:
| Parameter | Description | Value |
| :-------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------ |
| `code` | A unique random string that your service generates, retrieved from your service’s request to the `redirect_uri`. Notion is sending back the code that you sent. | `WQtaEYNV9jfL4yr89KJA0thw` |
| `client_id` | The OAuth Client ID that you provided when you created the connection. | `mRkZGFjM` (example value) |
| `client_secret` | The OAuth Client Secret that you provided when you created the connection. | `ZGVmMjMz` (example value) |
| `redirect_uri` | A constant string. | `notion.so/externalIntegrationAuthCallback` |
| `grant_type` | A constant string. | `authorization_code` |
The body is sent in the `application/x-www-form-urlencoded` format and expects a JSON response.
### 4. Share the `access_token` with Notion
From your OAuth Token URL, respond to Notion’s POST request with an `access_token` body parameter in your 200 response.
Notion saves the `access_token` to send in future requests. Notion sends a request to your Unfurl Callback URL every time that the user associated with the token pastes a new Link Preview enabled URL or revisits a page with an existing Link Preview to refresh data.
**How Notion handles OAuth errors**
Notion handles error responses as described by the [OAuth Error Spec](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1). The message that Notion displays to the user varies depending on the information that you provide.
For example, you can respond with an `error` and a standard error code like `access_denied`:
`https://notion.so/externalintegrationauthcallback?error=access_denied`
In this instance, Notion shares the following message:
You can also add an `error_description` to the response:
`https://notion.so/externalintegrationauthcallback?error=access_denied&error_description=The+user+has+denied+your+application+access`
If Notion detects a description, then it replaces the standard dialogue prompt with the specified description, as in the below:
If Notion doesn’t recognize the error code, then it notes that the error is unknown:
For more details on standard error codes, refer to the [OAuth spec](https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2.1).
#### How to use refresh tokens (optional)
Skip to [Step 5](#5-test-the-auth-flow-in-notion) if you’re creating long-living access tokens. This section only applies to temporary access tokens.
##### Return a `refresh_token`
Instead of creating a long-living `access_token`, you can send a `refresh_token` alongside a temporary access token. Notion can then use the `refresh_token` to fetch new tokens from your service.
If you return a `refresh_token`, then you need to also return an `expires_in` integer, as in the following example:
```json Example 200 JSON response from your service with refresh_token and expires_in values theme={null}
{
"access_token": "ABC",
"refresh_token": "XYZ",
"expires_in": 60000
}
```
`expires_in` represents the number of seconds until the `access_token` expires.
##### Notion requests to refresh a token
If Notion detects that the `access_token` is expired, meaning that the current time exceeds the time of the last refresh plus the `expires_in` value, then Notion refreshes the tokens when it calls your endpoints.
To refresh the token, Notion sends a POST request to your OAuth Token URL with the following parameters:
| Parameter | Description | Value |
| :-------------- | :------------------------------------------------------------------------- | :-------------------------------------------------- |
| `refresh_token` | The unique random string returned in the response to the previous request. | `"ABC"` (example value) |
| `client_id` | The OAuth Client ID that you provided when you created the connection. | `mRkZGFjM` (example value) |
| `client_secret` | The OAuth Client Secret that you provided when you created the connection. | `ZGVmMjMz` (example value) |
| `redirect_uri` | A constant string. | `https://notion.so/externalIntegrationAuthCallback` |
| `grant_type` | A constant string. | `refresh_token` |
##### Respond to Notion’s request to refresh a token
From your OAuth Token URL, return an `access_token` in your 200 response. You can optionally return new `refresh_token` and `expires_in` values.
### 5. Test the auth flow in Notion
To test the auth flow, make sure that you’ve added the connection to a workspace. Then, navigate to `"My connections"` in the workspace settings. Click `"Show all"`. Find the connection that you created in the list, and select `"Connect"` to kick off the auth flow.
If you don’t see your connection in the list, then refresh the page. Notion only loads new connections on page load.
If the auth flow is successful, then you’ll see a new entry under the `"My connections"` menu.
To verify that the `key` for this connection is unique, repeat the auth flow multiple times using the same credentials to validate that you only get a single entry.
## Use the Unfurl Callback URL
### 1. Configure unfurl attributes
After a user pastes a Link Preview enabled link and completes the auth flow, Notion sends a POST request to the Unfurl Callback URL that you provided in the connection settings.
The request includes a Bearer authorization with the user’s `access_token` from your service, and the payload is a single field called `uri` that includes the link that the user shared:
```curl cURL theme={null}
curl -d '{"uri":"http://example.com/file/123"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer "
-X POST https://example.com/unfurl
```
Set up the Unfurl Callback URL to respond to Notion’s request with a 200 OK including the `uri`, and an array of all of the unfurl attributes, the values to display in the Link Preview. **The array must include a `title` attribute that gives the Link Preview a title and a *dev* attribute that indicates the developer or company that created the Link Preview**.
The following is an example response:
```json JSON expandable theme={null}
{
"uri": "http://example.com/file/123",
"operations": [
{
"path": [
"attributes"
],
"set": [
{
"id": "title",
"name": "Title",
"type": "inline",
"inline": {
"title": {
"value": "The Link Preview's Title",
"section": "title"
}
}
},
{
"id": "dev",
"name": "Developer Name",
"type": "inline",
"inline": {
"plain_text": {
"value": "Acme Inc",
"section": "secondary"
}
}
},
{
"id": "color",
"name": "Color",
"type": "inline",
"inline": {
"color": {
"value": {
"r": 235,
"g": 64,
"b": 52
},
"section": "background"
}
}
}
]
}
]
}
```
To preview how different response objects unfurl in a Link Preview, explore the connection's Link Preview Lab.
To learn more about unfurl attributes, refer to the Link Preview [unfurl attributes reference](/reference/unfurl-attribute-object).
### 2. Handle unfurl request errors
Set up the Unfurl Callback URL to handle errors, as in the following example.
```json JSON theme={null}
{
"uri": "http://example.com/file/123",
"operations": [
{
"path": ["error"],
"set": { "status": 404, "message": "Content not found" }
}
}
```
## Manage updates to Link Previews
### Update Link Previews to reflect data shared in unfurl attributes
If the unfurl attributes from your service change over time, then you can alert Notion to update the Link Preview to mirror those changes.
When your service detects changes to data that is referenced by a Link Preview, send a PATCH request to Notion’s `/v1/external/object` endpoint to update the unfurl attributes.
Include all of the same objects from the Unfurl Callback URL response in the request, including the attributes that haven’t changed, as in the following example:
```bash cURL expandable theme={null}
curl -d `{
"uri": "http://example.com/file/123",
"operations": [
{
"path": ["attributes"],
"set": [
{
"id": "title",
"name": "Title",
"type": "inline",
"inline": {
"title": {
"value": "The Link Preview's NEW Title",
"section": "title"
}
}
},
{
"id": "color",
"name": "Color",
"type": "inline",
"inline": {
"color": {
"value": {
"r": 235,
"g": 64,
"b": 52
},
"section": "background"
}
}
}
]
}
]
}` \
-H "Content-Type: application/json" \
-H "Authorization: Bearer " \
-H "Notion-Version: 2021-08-16" \
-X PATCH https://api.notion.com/v1/external/object
```
It’s also possible to set a new error request. For example, if the data originally shared in a Link Preview can’t be found, then you could send an update request as follows:
```bash cURL expandable theme={null}
curl -d `{
"uri": "http://example.com/file/123",
"operations": [
{
"path": ["error"],
"set": { "status": 404, "message": "Content not found" }
}
]
}` \
-H "Content-Type: application/json" \
-H "Authorization: Bearer " \
-H "Notion-Version: 2021-08-16" \
-X PATCH https://api.notion.com/v1/external/object
```
You can also set both new attributes and an error request at the same time, as in the below example:
```bash cURL expandable theme={null}
curl -d `{
"uri": "http://example.com/file/123",
"operations": [
{
"path": ["attributes"],
"set": [
{
"id": "title",
"name": "Title",
"type": "inline",
"inline": {
"title": {
"value": "The Link Preview's Title",
"section": "title"
}
}
},
{
"id": "color",
"name": "Color",
"type": "inline",
"inline": {
"color": {
"value": {
"r": 235,
"g": 64,
"b": 52
},
"section": "background"
}
}
}
]
},
{
"path": ["error"],
"set": { "status": 404, "message": "Content not found" }
}
]
}` \
-H "Content-Type: application/json" \
-H "Authorization: Bearer " \
-H "Notion-Version: 2021-08-16" \
-X PATCH https://api.notion.com/v1/external/object
```
When updating a Link Preview’s unfurl attributes, there’s no need to clear the `error`. If no `error` is sent, then the `error` is automatically cleared.
#### Notion updates your service when a user deletes Link Preview enabled URLs
When a user deletes all Link Previews associated with a URL from their workspace, Notion sends a DELETE request to your Unfurl Callback URL.
Listen for the request to perform any associated actions, like deleting the record from your service.
## Submit your connection for security review
Before a Link Preview connection can be publicly distributed, it needs to pass a security review. [Fill out this form](https://docs.google.com/forms/d/e/1FAIpQLSd94UcRziV-1yFv6udO0qZwohLyXxhYYadUqEJyyEd03RAj1w/viewform) to submit your connection for review.
**Next steps**
* To learn more about customizing a Link Preview’s unfurl attributes, refer to the [reference docs](/reference/unfurl-attribute-object)