Evernote Production Checklist

Overview

Comprehensive checklist for deploying Evernote integrations to production, covering API key activation, security hardening, rate limit handling, monitoring, and go-live verification.

Prerequisites

• Completed development and testing in sandbox
• Production API key approved by Evernote (requires review process)
• Production infrastructure provisioned

Instructions

API Key & Authentication

• Production API key requested and approved by Evernote
• EVERNOTE_SANDBOX=false in production config
• Consumer key and secret stored in secrets manager (not env files)
• OAuth callback URL uses HTTPS on production domain
• Token expiration tracking implemented (edam_expires)
• Token refresh/re-auth flow tested end-to-end

Security

• Access tokens encrypted at rest (AES-256-GCM)
• CSRF protection on OAuth flow
• API credentials not in source control (.env in .gitignore)
• Log output redacts tokens and PII
• Input validation on all user-supplied content (ENML sanitization)
• Rate limit handling prevents API key suspension

Rate Limits & Performance

• Exponential backoff on RATE_LIMIT_REACHED errors
• Minimum delay between API calls (100-200ms)
• Response caching for listNotebooks() and listTags() (5-10 min TTL)
• findNotesMetadata() used instead of findNotes() for listings
• Batch operations use sequential processing with delays

Monitoring & Alerting

• Health check endpoint verifies Evernote API connectivity
• Metrics tracked: API call count, latency, error rate, rate limits
• Alerts configured for rate limits, auth failures, and high error rates
• Structured logging with correlation IDs
• Quota usage monitoring with threshold alerts (75%, 90%)

Data Integrity

• ENML validation before every createNote/updateNote call
• Note titles sanitized (max 255 chars, no newlines)
• Tag names validated (max 100 chars, no commas)
• Resource hashes verified (MD5 match)
• Sync state (USN) tracked and persisted for incremental sync

Deployment

• Production Docker image built with multi-stage build
• NODE_ENV=production set in container
• Graceful shutdown handles in-flight API calls
• Rollback plan documented and tested
• Deployment verification script runs post-deploy

Verification Script

#!/bin/bash
set -euo pipefail

echo "Verifying Evernote production deployment..."

# 1. Health check
curl -sf "$APP_URL/health" | jq '.evernoteApi' | grep -q '"connected"'
echo "  Health check: PASS"

# 2. Create test note
GUID=$(curl -sf "$APP_URL/api/test-note" | jq -r '.guid')
echo "  Note creation: PASS (GUID: $GUID)"

# 3. Clean up test note
curl -sf -X DELETE "$APP_URL/api/notes/$GUID"
echo "  Cleanup: PASS"

echo "All checks passed."

For the complete checklist details and verification scripts, see Implementation Guide.

Output

• Production readiness checklist (API keys, security, performance, monitoring)
• Verification script for post-deployment testing
• Security audit checklist for credential and token management
• Monitoring setup verification

Error Handling

Error	Cause	Solution
INVALID_AUTH in production	Using sandbox token with production endpoint	Verify EVERNOTE_SANDBOX=false matches production key
Verification script fails	Service not healthy after deploy	Check logs, rollback if needed
Rate limits on launch	Burst of API calls at startup	Add startup delay, warm caches gradually
PERMISSION_DENIED	Production key missing permissions	Contact Evernote developer support

Resources

• Evernote Developer Portal
• API Key Request
• Rate Limits
• OAuth Documentation

Next Steps

For version upgrades, see evernote-upgrade-migration.

Examples

Go-live checklist: Walk through each section, check off items, run the verification script, and sign off with the team before switching DNS to the production deployment.

Security audit: Review encrypted token storage, verify log redaction, confirm CSRF protection, and test token expiration handling before the production launch.