Tutorial · Estimated reading 20 mins

Notion AI in 2026:
Clash split rules for sign-in, sync, and AI-ready domains

Notion has become the default knowledge base for hybrid teams, and Notion AI sits inside the same surfaces where people already write specs, meeting notes, and customer research. The uncomfortable truth in 2026 is that many “AI is slow” tickets are actually network path issues: the browser session renews on one exit while the desktop client keeps a stale WebSocket on another, or a regional MATCH rule grabs traffic before your SaaS-specific rows run. This guide maps the Notion plane—identity, continuous sync, public sites, and AI calls that terminate on Notion-controlled hosts—to disciplined DOMAIN-SUFFIX coverage, optional rule providers on Mihomo, and DNS alignment. It deliberately does not recycle a generic ChatGPT / OpenAI domain list, because Notion AI traffic is anchored to the Notion app graph first.

Notion · Notion AI · Clash split routing · Mihomo · 2026

1 Why Notion deserves its own Clash chapter in 2026

If you already maintain a long list of inference hosts for ChatGPT, Claude, or Gemini, you might assume those rows are enough for every “AI button” in your stack. Notion AI is different: the product’s primary contract is still the Notion workspace graph—blocks, databases, permissions, and offline-friendly caches—not a standalone chat domain you can proxy in isolation. When sign-in succeeds in Chrome but the desktop app loops on “connecting,” or when edits appear on mobile before they land on Windows, the failure mode is frequently a split routing mismatch between long-lived sockets and short HTTPS calls, not a missing OpenAI entry.

Clash on the Mihomo core makes those mismatches visible. Connection logs show the exact Server Name Indication (SNI) your client negotiated, and the first matching rule explains why a packet took PROXY_NOTION while a related asset still rode DIRECT. The goal of this article is to give knowledge workers a maintainable DOMAIN-SUFFIX baseline for the Notion ecosystem, then layer optional rule providers when security teams want audited updates instead of ad-hoc YAML edits on every laptop.

Start from a maintained desktop build via our download page. Upstream repositories remain the right place to read licenses and file issues; they should not be the casual installer channel when a curated build already exists for your platform.

2 Four planes: identity, continuous sync, public sites, and Notion AI

Plane one—identity and session renewal. Interactive login, workspace switching, and enterprise SSO flows typically converge on HTTPS endpoints under the notion.so registrable domain, with supporting marketing and corporate properties on notion.com and makenotion.com. From a routing perspective, the actionable abstraction is to treat the entire notion.so suffix as one coherent policy bucket unless compliance forces a finer split you can prove with logs.

Plane two—real-time collaboration and background sync. The editors keep WebSockets and incremental sync channels warm so databases and mentions feel instant. When those channels traverse a lossy or mis-ordered exit, users experience the classic “spinning sync” icon even though a simple HTTPS health check to the same vendor succeeds. Aligning DNS, IPv4/IPv6 preference, and proxy selection for the whole suffix is usually safer than pinning a single API hostname while leaving the socket plane on another node.

Plane three—public notion.site pages. Teams publish read-only sites and lightweight microsites on the notion.site suffix. Marketing and support teams often forget to add this suffix when they only whitelist notion.so for employees, which produces confusing “works in the app, broken on the public link” tickets. Add DOMAIN-SUFFIX,notion.site beside your workspace rules.

Plane four—Notion AI features embedded in the product. The assistant surfaces inside documents and databases; its requests are still orchestrated through Notion’s service edge rather than asking you to paste an OpenAI API key into Clash. That is why copying a pure OpenAI list from another article rarely fixes Notion-specific timeouts—you must first guarantee that the Notion app’s own calls and telemetry reach the same stable egress you chose for the editor shell.

Log a full minute of real work Open a large page, toggle AI suggestions, upload a small attachment, and switch workspaces. Filter Mihomo logs for notion and list every distinct hostname before you carve exceptions.

3 DOMAIN-SUFFIX coverage you can paste into Clash

A pragmatic personal profile routes the following suffixes to a dedicated select group such as PROXY_NOTION: DOMAIN-SUFFIX,notion.so for the workspace and API traffic most clients use; DOMAIN-SUFFIX,notion.site for published pages; DOMAIN-SUFFIX,notion.com and DOMAIN-SUFFIX,makenotion.com for marketing, careers, and corporate content that sometimes participates in deep links during onboarding; and DOMAIN-SUFFIX,notion-static.com for static assets that the web and desktop shells fetch aggressively. Together these rows express “the Notion product family” without resorting to overbroad DOMAIN-KEYWORD matches that collide with unrelated brands.

Teams that rely on attachments and inline previews may see additional object hosts in logs. Resist the urge to proxy all of amazonaws.com or every CDN on the internet—capture the exact hostname your tenant hits, add a narrow DOMAIN line if required, and revisit quarterly when Notion rotates infrastructure. If you centralize updates, store the curated list in a private rule provider and refresh it daily so operations can patch entries without shipping a full merged profile to every router.

Avoid permanent DOMAIN-KEYWORD,notion shortcuts. Keywords catch unrelated hostnames and internal experiments in ways suffix rules do not. Production-grade Clash split routing should prefer explicit suffix coverage, then fall back to GEOIP or MATCH only after your SaaS rows appear near the top of the rules: section.

4 Rule order: first match wins, even when the subscription looks “smart”

Clash evaluates rules: from top to bottom; the first hit terminates the search. Subscription bundles that inject aggressive regional shortcuts ahead of SaaS-specific rows are a frequent reason sign-in works in the browser while the Electron client stalls: the browser retries with a fresh connection profile, whereas the desktop shell reuses a half-open socket pinned to the wrong exit. Move explicit Notion lines above broad GEOIP or continent-level RULE-SET imports.

When you combine inline suffix entries with remote providers, remember duplicates defer to whichever rule appears earlier. Keep a tiny local override file at the top during incidents so you can hot-patch a hostname without waiting for a third-party feed to refresh. Document the intent in YAML comments so the next engineer understands why notion.so sits before a catch-all imported list.

5 Rule providers, audits, and why teams adopt them for SaaS

Individual power users can stop at half a dozen DOMAIN-SUFFIX lines. Enterprise teams, however, often need evidence: who changed the egress policy, when, and whether the allowlist still matches the vendor’s documented endpoints. A rule provider on Mihomo lets you host a small YAML or text rule-set in a private bucket, reference it from rule-providers:, and refresh on a fixed interval. Security reviewers like the artifact trail; help desks like the ability to roll forward without asking every employee to paste YAML fragments into chat.

Pair provider updates with change management. When Notion ships a major AI feature, assume new telemetry or edge nodes will appear—schedule a log review the week after release instead of waiting for tickets. If you also manage other knowledge tools, keep each vendor’s provider separate. Our NotebookLM routing guide walks through a similar pattern for Google’s research stack; merging unrelated suffix families into one catch-all group obscures audits and complicates rollback.

Do not fork a public mega-list blindly Third-party feeds move fast. Prefer a short, owned list for business-critical SaaS and treat remote RULE-SET imports as hints, not gospel.

6 Illustrative YAML for proxy groups, DOMAIN-SUFFIX rows, and providers

The fragment below is educational. Rename groups to fit your profile, merge with subscription naming conventions, and validate through your GUI’s linter before pushing to a router. Remote URLs are placeholders; host your own rule text if you do not yet trust an external CDN for policy files.

config.yaml (snippet) 
# Example only — merge with your full profile
proxy-groups:
  - name: PROXY_NOTION
    type: select
    proxies:
      - AUTO-BEST
      - DIRECT

rule-providers:
  notion-saas:
    type: http
    behavior: classical
    url: "https://example.com/rules/notion-saas.txt"
    path: ./ruleset/notion-saas.yaml
    interval: 86400

rules:
  - RULE-SET,notion-saas,PROXY_NOTION
  - DOMAIN-SUFFIX,notion.so,PROXY_NOTION
  - DOMAIN-SUFFIX,notion.site,PROXY_NOTION
  - DOMAIN-SUFFIX,notion.com,PROXY_NOTION
  - DOMAIN-SUFFIX,makenotion.com,PROXY_NOTION
  - DOMAIN-SUFFIX,notion-static.com,PROXY_NOTION

Pair these rows with coherent DNS. Misaligned DNS-over-HTTPS, FakeIP, and operating-system stub resolvers still produce “rule matched but certificate mismatch” symptoms. Our DNS leak prevention article explains resolver alignment patterns that apply to any long-lived SaaS client, including editors that reopen sockets aggressively after sleep or dock/undock events.

Version-control the curated slice Keep the Notion rule block in a small repository next to your personal profile. When the vendor publishes networking changes, you diff one file—not an opaque mega-list from a stranger’s feed.

7 Web, desktop, mobile, and mixed SSO environments

Each client stack honors proxies differently. Chromium-based browsers usually respect system proxy settings, while packaged desktop apps may ignore them unless you enable environment-wide capture. For mixed stacks—browser SSO plus a native Notion client—TUN mode on Mihomo frequently yields the most coherent story because packets enter Clash before user-space libraries apply their own policy. Our Clash Verge Rev TUN guide covers loop avoidance and verification steps that generalize beyond a single vendor.

Mobile deployments add another wrinkle. iOS and Android may switch networks when users walk between floors, toggling IPv6 preference or captive portals. If sync stalls only on cellular, compare SNIs from Wi-Fi and LTE sessions; sometimes a carrier-grade NAT path bypasses your selective proxy while Wi-Fi respects it. Document the working combination so support teams do not chase “AI slowness” when the root cause is asymmetric routing.

Enterprise SSO introduces short-lived tokens and redirect chains. If only the final API host is proxied while an intermediate IdP hostname is not, you can pass login in the browser yet fail token exchange inside the app. Capture the full redirect graph once, mirror the suffix coverage for every hop your identity team approves, and re-test after certificate rotations.

8 DNS, TLS, and troubleshooting with Mihomo logs

Start every incident by filtering logs for the policy group you assigned to Notion traffic. If page loads succeed but live cursors freeze, compare timestamps on WebSocket lines versus ordinary HTTPS—two different exits usually mean two different rules matched. Streaming AI responses are sensitive to bufferbloat: tiny JSON probes may succeed while longer streams stall, so swap nodes only after you prove ordering and DNS are clean.

IPv6 split paths remain a common footgun. When the operating system prefers IPv6 first but your proxy path assumes IPv4-only hops, some sessions bypass Clash intermittently. Either route IPv6 consistently through Mihomo or temporarily isolate the issue by disabling IPv6 during triage, then return with a structural fix instead of leaving the toggle off forever. Enterprise DNS filtering can also rewrite answers; compare resolver output from inside Clash with the stub resolver on the host to detect drift.

Remember that HTTP 401 and 403 responses after connectivity is restored usually indicate entitlement or workspace policy problems, not routing mistakes. Rotate credentials that leaked into logs, prefer short-lived tokens for automation, and treat stable Clash split routing as a prerequisite—not a substitute—for correct permissions inside Notion.

9 How this differs from ChatGPT, NotebookLM, and IDE copilots

Our ChatGPT-focused guide centers on OpenAI’s public API and web surfaces—hostnames that do not overlap with the Notion graph. The NotebookLM article maps Google’s research stack. IDE copilot articles emphasize extension hosts and editor telemetry. Treat each guide as a modular chapter: reuse DNS and TUN fundamentals everywhere, swap only the vendor-specific suffix block. That discipline keeps Notion AI work distinct from “generic AI” lists while avoiding duplicate maintenance.

10 FAQ

  • Is notion.so alone enough? Often not for full-fidelity UX—add notion.site for public links and include static and corporate suffixes unless logs prove they are unused in your tenant.
  • Should I merge Notion into my OpenAI group? Only if logs show every AI call exits through the same policy you trust for OpenAI—which is uncommon. Prefer a dedicated PROXY_NOTION group and merge only after measurement.
  • Why does sign-in work but sync fails? Different transports—HTTPS vs WebSockets—may hit different rules or IPv6 paths. Align suffix coverage and verify ordering before blaming Notion itself.
  • Can I use system proxy only? Sometimes, but mixed clients frequently need TUN or per-app exceptions. Test both before standardizing.

11 Wrap-up

In 2026, reliable Notion and Notion AI experiences hinge on treating the workspace as a single routed family: sign-in and session renewal on notion.so-class hosts, continuous sync and collaboration channels on the same plane, public content on notion.site, and supporting assets on dedicated static and corporate suffixes. Express that with Clash split routing using explicit DOMAIN-SUFFIX rows ordered ahead of blunt regional shortcuts, optional curated rule providers for teams, and Mihomo DNS settings that match how your clients resolve names. Compared with generic OpenAI lists, this playbook stays anchored to the product’s own edge—so you spend less time duplicating unrelated domains and more time shipping documentation your colleagues can actually open.

Among proxy stacks, Clash’s readable YAML and mature desktop clients appeal to operators who juggle browsers, native apps, and occasional terminals on one machine. When you need installers, prefer our download hub for versioned packages; cite upstream repositories for transparency, not as the default end-user installer path.

Once routing stops stealing cycles, product teams can focus on templates, permissions, and AI prompts—which is what a dependable office network stack should unlock for Notion users this year.

→ Download Clash for free and experience the difference

Tags: Notion Notion AI Clash split routing DOMAIN-SUFFIX rule provider Mihomo 2026
Clash client logo for Notion and Notion AI split routing

Clash Verge Rev

Next-gen Clash client · Free and open source

One client for system proxy, optional TUN, and connection logs—so Notion sign-in, background sync, and Notion AI requests share one coherent split-routing story.

TUN full traffic takeover Mihomo high-performance core Precise rule routing DNS leak helpers Multi-subscription management
Windows macOS Linux

Related reading

Knowledge tools

NotebookLM: Google domains and Clash split rules

 Developer workflow

Cursor IDE: proxy, sign-in, and extensions with Clash