MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

N
Notebooklm MCP Gateway
by @nazar256
GitHub Repo(1 stars)

MCP server by nazar256

Created 6/17/2026
Updated about 4 hours ago
README
View Source
Repository documentation and setup instructions

NotebookLM MCP Gateway

Unofficial TypeScript Cloudflare Worker that exposes a remote Streamable HTTP MCP gateway for NotebookLM.

The gateway lets an MCP client complete OAuth against the Worker, paste a fresh NotebookLM browser request artifact during authorization, and then call NotebookLM through MCP tools. The Worker is intentionally stateless: NotebookLM browser credentials are encrypted into signed OAuth/MCP token artifacts and are not stored in KV, Durable Objects, D1, R2, cache, or the filesystem.

Important disclaimer

This project uses reverse-engineered, undocumented NotebookLM/Google browser APIs.

  • It is not affiliated with, endorsed by, or supported by Google, NotebookLM, OpenAI, Anthropic, or Cloudflare.
  • NotebookLM internal endpoints, RPC IDs, payload shapes, authentication requirements, quotas, and product behavior may change without notice.
  • The MCP tools may break, return partial data, or behave differently across account tiers, regions, languages, and future NotebookLM releases.
  • Users paste browser authentication material into the OAuth page. Only self-host this Worker, or use deployments operated by someone you explicitly trust.
  • This is best treated as experimental software for personal projects, prototypes, and research automation. There are no stability, availability, or data-loss guarantees.

See SECURITY.md before deploying or connecting real accounts.

Features

  • Remote MCP endpoint at /mcp using Streamable HTTP.
  • OAuth Authorization Code + PKCE for public clients.
  • Dynamic Client Registration at POST /register.
  • Short-lived MCP bearer access tokens and stateless refresh tokens bounded by the selected connector expiration.
  • Encrypted NotebookLM credential envelopes inside signed OAuth artifacts.
  • Server-enforced OAuth/MCP scopes so users can grant read-only or selected chat/write/delete/share capabilities at consent time.
  • Zod-backed MCP input/output schemas and structuredContent on successful tool calls.
  • Sanitized MCP tool errors and tool outputs that avoid exposing cookies, Authorization headers, JWTs, or raw upstream response bodies.
  • Explicit guards for destructive or permission-changing tools.

Tools

The current MCP tool surface covers notebooks, sources, chat, notes, Studio artifacts, research, and sharing:

list_notebooks, get_notebook, create_notebook, rename_notebook, delete_notebook,
list_sources, add_url_source, add_youtube_source, add_text_source, add_drive_source,
get_source_guide, get_source_content, refresh_source, delete_source,
ask_notebook, get_last_conversation_id, get_conversation_turns,
list_notes, create_note, update_note, delete_note,
list_artifacts, generate_artifact, download_artifact,
start_research, poll_research, import_research_sources,
get_share_status, set_share_public

See docs/TOOLS.md for read/write/destructive markers and known limitations.

OAuth and MCP scopes

OAuth consent is least-privilege by default. If the client omits scope or sends it blank, the Worker grants only notebooklm:read. Unknown scopes or duplicate scope parameters are rejected with 400 invalid_request.

Supported scopes:

  • notebooklm:read — required baseline; read notebooks, sources, notes, chats, artifacts, and sharing status.
  • notebooklm:chat — ask questions, start research, and generate Studio artifacts.
  • notebooklm:write — create/edit notebooks, sources, notes, refresh sources, and import research sources.
  • notebooklm:delete — delete notebooks, sources, and notes.
  • notebooklm:share — change public link sharing.

The authorization page renders human-readable scope checkboxes. Optional scopes requested by the client are pre-checked and can be deselected before granting. Auth codes, access tokens, and refresh tokens carry the granted scope snapshot; refresh-token exchange preserves that exact snapshot and cannot widen access. /token responses include the granted scope string. MCP tools/list only advertises tools allowed by the token scopes, and direct calls to ungranted tools fail without invoking NotebookLM.

Limitations

  • NotebookLM APIs are private and can break without warning.
  • Browser file upload is not implemented; safe Worker proxying needs additional size, streaming, and trust-boundary work.
  • Binary artifact downloads are not proxied. download_artifact requests export metadata/URLs where available.
  • Stateless auth codes and refresh tokens cannot be server-side revoked or replay-detected before JWT expiry.
  • OAuth/MCP scopes are capability-level only. Object-level authorization still relies on the pasted NotebookLM browser session and upstream NotebookLM permissions.
  • Fine-grained user permission management is intentionally limited; only public/private link sharing is exposed through notebooklm:share.

Local development

npm ci
npm run dev
npm test
npm run typecheck

npm run dev uses dummy local-only signing/encryption values and localhost OAuth issuer/resource/audience overrides. Never reuse those values in a deployed Worker.

Deployment overview

  1. Edit wrangler.jsonc so OAUTH_ISSUER, MCP_RESOURCE, and MCP_AUDIENCE match your deployed Worker URL exactly.

  2. Set secrets through Wrangler stdin only:

    openssl rand -base64 48 | wrangler secret put OAUTH_JWT_SIGNING_KEY_B64
openssl rand -base64 32 | wrangler secret put NOTEBOOKLM_CREDENTIAL_ENC_KEY_B64
openssl rand -base64 48 | wrangler secret put CSRF_SIGNING_KEY_B64

  3. Run checks and deploy:

    npm run check
npx wrangler deploy

Do not store real secrets, browser cookies, Copy-as-cURL artifacts, or MCP/OAuth tokens in .env, .dev.vars, docs, logs, or git.

OAuth redirect policy

Dynamic Client Registration and /authorize enforce a narrow redirect allowlist:

  • https://chatgpt.com/connector/oauth/{callback_id} where {callback_id} matches [A-Za-z0-9_-]+
  • https://chatgpt.com/connector_platform_oauth_redirect
  • https://claude.ai/api/mcp/auth_callback
  • loopback http://localhost:{port}/callback, http://127.0.0.1:{port}/callback, and http://[::1]:{port}/callback

Optional OAUTH_EXTRA_REDIRECT_URI_PATTERNS can add tested HTTPS clients. It cannot allow arbitrary non-loopback HTTP redirects.

Credits and prior art

This gateway was built with protocol and UX inspiration from:

Those projects are independent; credit here does not imply endorsement or shared maintainership.

License

MIT. See LICENSE.

Quick Setup
Installation guide for this server

Install Package (if required)

npx @modelcontextprotocol/server-notebooklm-mcp-gateway

Cursor configuration (mcp.json)

{ "mcpServers": { "nazar256-notebooklm-mcp-gateway": { "command": "npx", "args": [ "nazar256-notebooklm-mcp-gateway" ] } } }
Author Servers
Other servers by nazar256

User Prompt MCP

A Model Context Protocol (MCP) server for Cursor that enables requesting user input during generation

7