Everbridge Password Requirements

This is just for reference. I had to create a new user to get this info and figured I’d save you reading this, from that exercise.

1. At least 8 characters
2. At least one item from three of the following four groups:

  • Uppercase letters (A – Z)
  • Lowercase letters (a – z)
  • Numerals (0 – 9)
  • Special characters: ! @ # $ % ^ & * ( )

3. Cannot contain your account, first or last name


Notice the similarity to the Okta default (configurable) password requirements:

1. Minimum length 8 characters
2. Complexity requirements
[*] Lower case letter
[*] Upper case letter
[*] Number (0-9)
[  ] Symbol (e.g., !@#$%^&*)
[*] Does not contain part of username
[  ] Does not contain first name
[  ] Does not contain last name

How to get and configure an Everbridge API Key

The Everbridge API is an add-on feature that allows programmatic access to your account. It requires Everbridge activation and a little setup on your end. This post is meant to speed up the process and pass along some API best practices.

TL;DR, you need an API key NOW

If you need an API key right away, do the following steps and then engage your Everbridge Account Manager (AM) or Everbridge Support for activation assistance.

  1. Create a new Everbridge user with the security you want the API to have.
  2. Give the user log friendly naming e.g., “Sentworks API”
  3. Save the user record.
  4. Put this new user in edit mode and copy the URL for the next step.
  5. Send an email to your AM or Support requesting API activation assistance, include your:
    1. Company name
    2. Everbridge Account name
    3. The API users Everbridge ID, this is the end of the URL you copied in the previous step.
  6. Once support activates the user account with API access, you’re ready to create the API key.

How to create an Everbridge API Key

An Everbridge API key is the username and password of an API activated user account, encoded with base64. To create this key, do the following.

  1. Get the username and password of the API user account
  2. Encode the username:password, (note the separating colon) e.g., sentworksAPI:Exw7v23k at one of the following sites
    1. base64encode.org
    2. sentworks.com/community/
  3. Example username:password will equal dXNlcm5hbWU6cGFzc3dvcmQ=
  4. Example sentworksAPI:Exw7v23k = c2VudHdvcmtzQVBJOkV4dzd2MjNr
  5. Don’t forget to put the colon in-between the username and password.
  6. Make sure the username is case correct.

Test the Key

  1. Use api.everbridge.net to test your API key.
  2. Expand “/contacts”
  3. Expand “GET /contacts/{organizationId}”
  4. Paste the API key into the “credentials” field.
  5. Paste your Org ID into the “organizationId” field.
  6. Click the “Try it Out!” button.
  7. You should get a “message”: “OK” result.

Everbridge API Best Practices

API Security Audit

  • You may already have API enabled user accounts. There is no way to tell if a user is associated with the API by looking at their Everbridge user record. The only way to find out is to test each user account with the “Test the Key” method above. If you too many user accounts, ask Everbridge for assistance or use the API Security audit feature inside https://sentworks.com

API Logging

  • How many user accounts do you need? To Everbridge, API calls are identical to actions done by users in the browser. If you have multiple use cases or systems using the Everbridge API, make sure you have a user account for each of them. This is critical to permissions and event logging.
  • Give it a good user name. Example: Sentworks API. All actions done with this API key will be stamped with its user name. To enhance audit, dedicate an API user account for each vendor or app that uses the API.

Proper API security scope

  • Determine the least amount of privilege required for an API’s usage. For example, if it’s used for contact updates, set the permissions to Data Manager.

API Passwords and Basic Security

  • Give your API a strong password!
  • Be careful with password changes, it could break an API key currently being used.
  • The API password never needs to be changed, even if you have password expiration enforced on your organization. The trick is to NEVER log in to Everbridge with your API account. If you do, it sets into place any rules you may have enforced or intent to enforce in the future.
  • Again, don’t login to Everbridge with your API user account! Doing so will set in motion any password expiration rules that have been set in your Everbridge org. Even if you don’t have password expiration set, this is still a good best practice to follow, there really is no need to use it.