Evernote Production Checklist

Overview

Comprehensive checklist for deploying Evernote integrations to production, covering API key activation, security hardening, rate limit handling, monitoring, and go-live verification.

Prerequisites

• Completed development and testing in sandbox
• Production API key approved by Evernote (requires review process)
• Production infrastructure provisioned

Instructions

API Key & Authentication

• Production API key requested and approved by Evernote
• EVERNOTE_SANDBOX=false in production config
• Consumer key and secret stored in secrets manager (not env files)
• OAuth callback URL uses HTTPS on production domain
• Token expiration tracking implemented (edam_expires)
• Token refresh/re-auth flow tested end-to-end

Security

• Access tokens encrypted at rest (AES-256-GCM)
• CSRF protection on OAuth flow
• API credentials not in source control (.env in .gitignore)
• Log output redacts tokens and PII
• Input validation on all user-supplied content (ENML sanitization)
• Rate limit handling prevents API key suspension

Rate Limits & Performance

• Exponential backoff on RATE_LIMIT_REACHED errors
• Minimum delay between API calls (100-200ms)
• Response caching for listNotebooks() and listTags() (5-10 min TTL)
• findNotesMetadata() used instead of findNotes() for listings
• Batch operations use sequential processing with delays

Monitoring & Alerting

• Health check endpoint verifies Evernote API connectivity
• Metrics tracked: API call count, latency, error rate, rate limits
• Alerts configured for rate limits, auth failures, and high error rates
• Structured logging with correlation IDs
• Quota usage monitoring with threshold alerts (75%, 90%)

Data Integrity

• ENML validation before every createNote/updateNote call
• Note titles sanitized (max 255 chars, no newlines)
• Tag names validated (max 100 chars, no commas)
• Resource hashes verified (MD5 match)
• Sync state (USN) tracked and persisted for incremental sync

Deployment

• Production Docker image built with multi-stage build
• NODE_ENV=production set in container
• Graceful shutdown handles in-flight API calls
• Rollback plan documented and tested
• Deployment verification script runs post-deploy

Verification Script

#!/bin/bash
set -euo pipefail

echo "Verifying Evernote production deployment..."

# 1. Health check
curl -sf "$APP_URL/health" | jq '.evernoteApi' | grep -q '"connected"'
echo "  Health check: PASS"

# 2. Create test note
GUID=$(curl -sf "$APP_URL/api/test-note" | jq -r '.guid')
echo "  Note creation: PASS (GUID: $GUID)"

# 3. Clean up test note
curl -sf -X DELETE "$APP_URL/api/notes/$GUID"
echo "  Cleanup: PASS"

echo "All checks passed."

For the complete checklist details and verification scripts, see Implementation Guide.

Output

• Production readiness checklist (API keys, security, performance, monitoring)
• Verification script for post-deployment testing
• Security audit checklist for credential and token management
• Monitoring setup verification

Error Handling

Resources

• Evernote Developer Portal
• API Key Request
• Rate Limits
• OAuth Documentation

Next Steps

For version upgrades, see evernote-upgrade-migration.

Examples

Go-live checklist: Walk through each section, check off items, run the verification script, and sign off with the team before switching DNS to the production deployment.

Security audit: Review encrypted token storage, verify log redaction, confirm CSRF protection, and test token expiration handling before the production launch.