Connect Bubble to McAfee (now Trellix) by calling the ePO REST API through Bubble's API Connector with a two-step auth flow: first POST to /auth/token for a Bearer token, then use that token on all subsequent calls. Because Bubble has no automatic token refresh, a Scheduled Backend Workflow must re-fetch the token before it expires. Self-hosted ePO behind a corporate VPN is the most common hard blocker — the API port must be publicly accessible before any Bubble configuration will work.
| Fact | Value |
|---|---|
| Tool | McAfee (Trellix ePO) |
| Category | DevOps & Tools |
| Method | Bubble API Connector |
| Difficulty | Advanced |
| Time required | 3–5 hours |
| Last updated | July 2026 |
Bubble + McAfee/Trellix ePO: an endpoint security dashboard for non-technical stakeholders
McAfee Enterprise — now Trellix — manages endpoint security across thousands of corporate devices through its ePolicy Orchestrator (ePO) platform. ePO is not a SaaS product with a sign-up page and a self-serve API key: it is enterprise software deployed on-premise or in a private cloud, managed by IT security teams, and accessed primarily through the ePO web console. Building a Bubble integration to ePO is therefore a genuinely advanced project — not because the Bubble configuration is inherently complex, but because three infrastructure prerequisites must be resolved before any Bubble setup can begin.
Prerequisite one: network access. Bubble Cloud cannot reach an ePO server on a private corporate network. The ePO REST API port (typically 8443) must be accessible from the public internet, or an authenticated reverse proxy (such as a Cloudflare Tunnel or nginx on a public server) must forward traffic to the internal ePO instance. This is an infrastructure decision that requires IT approval and configuration — not something a Bubble developer can resolve alone.
Prerequisite two: SSL certificates. Bubble's API Connector rejects self-signed SSL certificates, which are common on on-premise ePO deployments. The ePO server must present a certificate from a public Certificate Authority (CA), or the integration must be fronted by a proxy with a valid public certificate. Many enterprise ePO deployments use internal CA certificates — valid within the corporate network but not trusted by Bubble's servers.
Prerequisite three: the two-step auth flow. ePO requires a POST request to /auth/token with credentials before any other API call is possible. Bubble has no built-in token lifecycle management, so the app must implement token storage and scheduled refresh explicitly.
Once these three prerequisites are met, the Bubble integration is clean and provides real value: security executives and operations managers can view endpoint protection status, malware detection counts, and policy compliance rates from a Bubble dashboard without needing ePO access credentials.
Integration method
The Bubble API Connector implements a two-step auth flow: a 'getEPOToken' POST call obtains a short-lived Bearer token from /auth/token, and all subsequent ePO API calls use that token in a dynamic Authorization header. A Scheduled Backend Workflow handles automatic token refresh.
Prerequisites
- An active Trellix ePO deployment (on-premise ePO 5.x or Trellix ePO Cloud) with REST API enabled — the REST API is disabled by default in some ePO versions and must be enabled by an ePO admin
- ePO REST API publicly accessible (port typically 8443) — the API must be reachable from Bubble's servers; ePO behind a corporate VPN without a reverse proxy cannot be reached by Bubble Cloud
- A valid public CA-signed SSL certificate on the ePO server (or reverse proxy with a valid certificate) — Bubble's API Connector rejects self-signed certificates
- An ePO user account with read access to the System Tree and Threat Event tables, used for the API token request
- A Bubble app on the Starter plan or above — Backend Workflows are required for the token refresh mechanism and for scheduled security data polling
- The free API Connector plugin by Bubble installed in your app (Plugins → Add plugins → search 'API Connector')
- Your ePO server's base URL and port (e.g., https://epo.company.com:8443) confirmed accessible from the public internet
Step-by-step guide
Step 1 — Confirm ePO REST API accessibility and gather connection details
Before configuring anything in Bubble, verify that the Trellix ePO REST API is reachable from the public internet. Open a browser on any network not connected to your corporate VPN and navigate to https://your-epo-server:8443/trellix/epo/v2/system.ping (replace with your actual ePO hostname and port). If you see a JSON response like {"version":"..."}, the API is accessible. If the browser shows a connection timeout or certificate error, the networking prerequisite is not yet met. For connection timeouts: work with your IT infrastructure team to expose the ePO REST API port via a reverse proxy (nginx on a public server, or a Cloudflare Tunnel pointing to the internal ePO host). For certificate errors: the ePO server is using a self-signed or internal CA certificate that Bubble's API Connector will also reject — ask your IT team to either provision a public CA certificate (Let's Encrypt works for publicly accessible servers) or put the ePO API behind a reverse proxy that terminates TLS with a valid certificate. Note your ePO base URL including port: https://your-epo-hostname:8443/trellix/epo/v2. Also confirm whether you are on ePO 5.x (on-premise) or Trellix ePO Cloud — the endpoint paths and auth behavior may differ slightly between versions.
1// ePO REST API accessibility check2// From a browser NOT on your corporate VPN, navigate to:3// https://your-epo-server:8443/trellix/epo/v2/system.ping45// Expected response if accessible:6// { "version": "5.x.x", "status": "OK" }78// Connection details to gather:9// base_url = https://your-epo-server:8443/trellix/epo/v210// auth_endpoint = /auth/token11// systems_endpoint = /system/query12// threats_endpoint = /event/threat1314// SSL requirement: Bubble API Connector rejects these:15// - Self-signed certificates16// - Internal CA certificates not in public trust stores17// Solution: public CA-signed certificate OR reverse proxy with valid cert1819// Network options for private-network ePO:20// Option A: nginx reverse proxy on a public server → forwards to internal ePO21// Option B: Cloudflare Tunnel (cloudflared) → no open firewall port needed22// Option C: Bubble Dedicated Cluster + VPN peering (enterprise scope)Pro tip: Cloudflare Tunnel (formerly Argo Tunnel) is often the fastest path to exposing a private-network ePO API without opening firewall ports or reconfiguring network rules. A lightweight cloudflared daemon runs inside the corporate network, creates an outbound tunnel to Cloudflare, and you get a public HTTPS hostname with a valid certificate. IT security teams generally prefer this to opening inbound firewall rules.
Expected result: The ePO REST API responds to a ping from a public network browser with a valid JSON response and no SSL certificate warning. You have confirmed the base URL, port, and API version. Network prerequisites are resolved.
Step 2 — Configure the Bubble API Connector with ePO credential calls
Open your Bubble app editor → Plugins → API Connector → Add another API. Name the group 'Trellix ePO.' In the 'Root URL' field, enter your ePO base URL: https://your-epo-server:8443/trellix/epo/v2. Add a shared header: key 'Content-Type,' value 'application/json' (no Private checkbox). Do not add the Authorization header to the group level yet — the auth token must be fetched first and stored, and subsequent calls will use a dynamic header. Inside this group, add the first call: name it 'getEPOToken.' Set method to POST. Endpoint: /auth/token. In the Body section, set Body Type to 'JSON' and add the body: {"userId": "YOUR_EPO_USERNAME", "password": "YOUR_EPO_PASSWORD"}. Click the 'Private' indicator on the userId and password fields in the body (in Bubble's API Connector, you can mark individual body parameters as Private). Set 'Use as' to 'Action' (since this call is a login operation, not a data-retrieval call). Click 'Initialize call' — this fires the POST to ePO. If successful, ePO returns a JSON body containing a token field (the Bearer token string). If it returns a 401, verify the username and password. Click 'Save.'
1// Bubble API Connector — Trellix ePO group configuration2{3 "api_group_name": "Trellix ePO",4 "root_url": "https://your-epo-server:8443/trellix/epo/v2",5 "shared_headers": [6 {7 "key": "Content-Type",8 "value": "application/json"9 }10 ]11}1213// Call 1: getEPOToken14{15 "call_name": "getEPOToken",16 "method": "POST",17 "endpoint": "/auth/token",18 "body_type": "JSON",19 "body": {20 "userId": "<private: your-epo-username>",21 "password": "<private: your-epo-password>"22 },23 "use_as": "Action"24}2526// Expected response from ePO /auth/token:27// {28// "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",29// "expires_in": 360030// }Pro tip: The ePO user account credentials in the getEPOToken body should belong to a dedicated service account with the minimum ePO permissions needed — typically 'View' access to Systems and Threat Events. Using a personal ePO admin account means the Bubble integration breaks if that employee's account is disabled or their password changes.
Expected result: The 'getEPOToken' call is initialized and returns a token string in the response. The call is set to 'Use as: Action.' Bubble detects the 'token' field in the response body.
Step 3 — Create the EPOToken data type and store the Bearer token securely
The retrieved ePO Bearer token must be stored somewhere Bubble's subsequent API calls can read it as a dynamic parameter. Create a single-row Bubble data type to hold this token. Click Data → Data types → Add a new type → name it 'EPOToken.' Add two fields: 'token_value' (text) and 'fetched_at' (date). This data type should hold exactly one record at any time — the current valid token. Now configure strict privacy rules: click Data → Privacy → EPOToken. Remove any 'Everyone' rule. Add a single rule: Condition = Current User has role Admin → View all fields, Modify all fields. Under no circumstance should this data type be readable by non-admin users — the stored Bearer token grants access to the entire ePO system. Create the initial single-row record manually: go to Data → App data → EPOToken → Create new EPOToken → leave token_value empty for now (the first Backend Workflow run will populate it). Also go to Settings → API and ensure 'Enable Data API' is OFF so this record cannot be accessed via Bubble's public data endpoint.
1// Bubble Data tab — EPOToken data type2// Data → Data types → EPOToken3// Fields:4// token_value — text (the Bearer token string from ePO)5// fetched_at — date (when the token was last retrieved)67// Data → Privacy → EPOToken rules:8// Rule: Current User has role Admin → View all fields, Modify all fields9// Default: No access (no Everyone rule)1011// Settings → API: Ensure 'Enable Data API' = OFF12// (An enabled Data API could expose the EPOToken record to unauthenticated requests)1314// The EPOToken table will always contain exactly one row.15// Initial row: created manually in Data → App data with empty token_value.16// All subsequent updates come from the 'Refresh ePO Token' Backend Workflow.Pro tip: A single-row singleton data type is a common Bubble pattern for storing application-level credentials or configuration. Always create the initial row manually in Data → App data so the Backend Workflow can use 'Make changes to EPOToken' (update) rather than 'Create EPOToken' (insert) on each run — this ensures there is never more than one token record, avoiding duplication.
Expected result: The EPOToken data type exists with token_value and fetched_at fields. Privacy rules restrict access to admins only. One initial empty row exists in App data. The Data API is confirmed disabled.
Step 4 — Create ePO system query calls using the stored token as a dynamic header
Add the ePO system query calls inside the Trellix ePO API Connector group. Click 'Add call' and name the first call 'Query Systems.' Set method to POST. Endpoint: /system/query (verify the exact path from your ePO REST API documentation for your ePO version — paths may vary between ePO 5.x and Trellix ePO Cloud). Set Body Type to JSON with body: {"select": {"columns": ["EPOComputerProperties.ComputerName", "EPOComputerProperties.OSType", "EPOComputerProperties.LastUpdate", "EPOLeafNode.Tags", "EPOComputerProperties.AgentVersion"]}, "where": {"filter": {}}, "limit": 250}. Now add an Authorization header at the CALL level (not group level, since it needs the dynamic token value): key = 'Authorization,' value = 'Bearer ' + (result of: search for EPOToken:first item's token_value). In Bubble's API Connector, this dynamic value is expressed by clicking the parameter field and using the 'Get data from an external API' or 'Do a search for EPOToken's token_value' option to dynamically load the stored token. Set 'Use as' to 'Data.' Add a second call named 'Get Threat Events' — POST to /event/threat with a time-range filter in the body and the same dynamic Authorization header.
1// Bubble API Connector — 'Query Systems' call2{3 "call_name": "Query Systems",4 "method": "POST",5 "endpoint": "/system/query",6 "headers": [7 {8 "key": "Authorization",9 "value": "Bearer <dynamic: EPOToken first item's token_value>"10 }11 ],12 "body_type": "JSON",13 "body": {14 "select": {15 "columns": [16 "EPOComputerProperties.ComputerName",17 "EPOComputerProperties.OSType",18 "EPOComputerProperties.LastUpdate",19 "EPOComputerProperties.AgentVersion"20 ]21 },22 "where": { "filter": {} },23 "limit": 250,24 "offset": 025 },26 "use_as": "Data"27}2829// 'Get Threat Events' call:30{31 "call_name": "Get Threat Events",32 "method": "POST",33 "endpoint": "/event/threat",34 "body": {35 "select": { "columns": ["AutoID", "ThreatName", "Severity", "DetectedUTC", "SystemName"] },36 "where": {37 "filter": {38 "field": "DetectedUTC",39 "operator": ">",40 "value": "<dynamic: 24 hours ago timestamp>"41 }42 },43 "limit": 10044 },45 "use_as": "Data"46}Pro tip: ePO system queries can be slow for large deployments (10,000+ endpoints) because ePO executes a database query on every API request. Add a 'limit: 250' and 'offset' parameter to every system query call and chain Backend Workflows for pagination when full-dataset syncs are needed. For the Bubble dashboard, displaying the most recent 250 endpoints sorted by LastUpdate is usually sufficient without pagination.
Expected result: The 'Query Systems' and 'Get Threat Events' calls are initialized and return ePO data. Each call uses the EPOToken record's token_value as a dynamic Authorization header value. Bubble detects the nested response fields from ePO's JSON.
Step 5 — Set up the token refresh Backend Workflow with scheduling
Create a Backend Workflow that fetches a fresh ePO token and stores it. Navigate to Backend Workflows in the Bubble editor (Starter plan required). Add a new API Workflow and name it 'Refresh ePO Token.' This workflow does two things: Step 1 — Call the 'getEPOToken' API Connector action. Step 2 — Make changes to EPOToken (the single-row record) setting token_value = Step 1's response token field, and fetched_at = Current date/time. Now schedule this workflow to run before the token expires. If your ePO token expires after 60 minutes (3600 seconds), schedule the refresh every 50 minutes (3000 seconds) to provide a safety buffer. From an app initialization workflow or a page-load workflow, add a 'Schedule API Workflow' action for 'Refresh ePO Token' recurring every 3000 seconds. Add a health check: create a separate Backend Workflow 'ePO Health Check' that reads the EPOToken's fetched_at field and sends an admin email alert if the token is more than 90 minutes old — this catches cases where the refresh workflow failed silently (for example, if the ePO server was unreachable during the refresh cycle).
1// Backend Workflow: 'Refresh ePO Token'2// Navigate to: Backend Workflows section (Starter plan required)34// Step 1: Call API connector action5// Call: Trellix ePO > getEPOToken6// (This POSTs credentials to /auth/token and returns the new token)78// Step 2: Make changes to EPOToken9// Thing to change: Do a search for EPOToken > first item10// Changes:11// token_value = Result of step 1's token12// fetched_at = Current date/time1314// Scheduling (from an app-startup or initialization workflow):15// Action: Schedule API Workflow16// Workflow: Refresh ePO Token17// Scheduled time: Current date/time18// Recurs: Yes, every 3000 seconds (50 minutes)1920// Health check workflow: 'ePO Token Health Check'21// Trigger: Scheduled (every 90 minutes, offset from refresh)22// Step 1: Search for EPOToken:first item23// Step 2: Only when Step1's fetched_at is more than 90 minutes ago:24// Send email to admin: 'ePO token refresh has not run in 90+ minutes'Pro tip: If you need to know the exact token TTL for your ePO instance, look at the 'expires_in' field in the getEPOToken response (if your ePO version returns it) or ask your ePO administrator. The token expiry is configurable per ePO instance. Set the refresh interval to 80% of the TTL to avoid calling with an expired token.
Expected result: The 'Refresh ePO Token' Backend Workflow runs on schedule and updates the EPOToken record's token_value on each cycle. The health check workflow can detect and alert on refresh failures. All system query calls use the always-fresh token from the EPOToken record.
Step 6 — Build the security posture dashboard page
Create a Bubble page named 'security-dashboard' visible only to admin users (set page access controls in the Bubble editor to require Current User has role Admin — Bubble checks this before rendering the page). Add summary metric cards at the top: total managed endpoints (count of Bubble EndpointRecord Things), endpoints with high-severity threat events in the last 24 hours (count of ThreatEvent Things where severity = 'High' and detection_timestamp > 24 hours ago), and last sync time (EPOToken's fetched_at formatted as 'Refreshed at HH:MM:SS'). Add a Repeating Group for endpoint inventory: Type = EndpointRecord, data source = search for EndpointRecord sorted by last_update descending. Cells show computer name, OS type, agent version, and a 'Last seen' relative timestamp. Add a second Repeating Group for threat events: Type = ThreatEvent, filtered to last 24 hours, sorted by severity. Add severity badges (red = High, orange = Medium, yellow = Low). Consider adding a 'Trigger Manual Sync' button for admins that runs the Backend Workflow immediately rather than waiting for the scheduled interval — useful when investigating a security incident. If you are building a production-grade Bubble security dashboard on ePO data and want architecture review, RapidDev's team has built enterprise internal tools of this complexity — schedule a free scoping call at rapidevelopers.com/contact.
1// Bubble data types for security dashboard:2// EndpointRecord: computer_name (text), os_type (text),3// agent_version (text), last_update (date), tags (text)4// ThreatEvent: threat_name (text), severity (text),5// detection_timestamp (date), system_name (text),6// auto_id (number)78// Dashboard page access control:9// Page settings → Visible when: Current User is logged in AND Current User has role Admin10// (or redirect to login page using a redirect workflow on page load)1112// Summary cards — expressions:13// Total endpoints: Do a search for EndpointRecord:count14// High threats 24h: Do a search for ThreatEvent where severity="High"15// and detection_timestamp > Current date/time - 1440 minutes :count16// Last sync: Search EPOToken:first item's fetched_at (formatted)1718// Threat severity badge conditionals (on a Shape element):19// When severity = "High" → background #ef4444 (red)20// When severity = "Medium" → background #f97316 (orange)21// When severity = "Low" → background #eab308 (yellow)2223// Manual sync button workflow:24// On click: Schedule API Workflow 'Sync ePO Data' → run immediately (Current date/time)Pro tip: For the dashboard to remain useful during ePO API outages (which can happen during ePO maintenance windows or if the corporate VPN tunnel drops), all dashboard data should be served from Bubble's own database rather than making live ePO API calls on page load. The Scheduled Backend Workflow keeps the database fresh, and the dashboard reads from Bubble's database — making it resilient to intermittent ePO connectivity issues.
Expected result: The security dashboard page displays total endpoint count, high-severity threat counts, and last sync time in summary cards. The repeating group shows managed endpoints sorted by last update. The threat events repeating group shows recent detections with severity badges. The page is only accessible to users with admin role.
Common use cases
Executive endpoint security posture dashboard
A Bubble app shows C-suite executives and security managers a daily summary of endpoint protection health: total managed endpoints, percentage with up-to-date DAT files, count of active malware detections, and policy non-compliance rate. Data is refreshed every 30 minutes via a Scheduled Backend Workflow polling ePO. Executives see a clean Bubble interface without needing ePO access.
Every 30 minutes, call Trellix ePO API 'Get System Summary' — count total managed systems, count systems where DAT date is older than 7 days, count threat events from last 24 hours, store in Bubble SecuritySnapshot record with timestamp
Copy this prompt to try it in Bubble
Threat event incident tracker in Bubble
A Bubble internal tool for the SecOps team displays recent threat events pulled from ePO — malware detections, intrusion prevention triggers, and policy violations — with severity, affected endpoint name, detection timestamp, and response status. Team members can mark events as reviewed in Bubble, triggering a status update in the same database record.
On page load, search Bubble ThreatEvent records where status is not 'Reviewed', sort by severity descending, show endpoint name, threat_name, detection_timestamp, severity badge. When 'Mark Reviewed' button clicked: set ThreatEvent status = 'Reviewed', set reviewed_by = Current User, set reviewed_at = Current date/time
Copy this prompt to try it in Bubble
Policy compliance report for audit teams
An audit-oriented Bubble page shows the compliance status of all managed endpoints against configured ePO policies — displaying pass/fail per policy category (antivirus enabled, firewall enabled, disk encryption enforced) and a summary compliance score. Data is synced nightly from ePO via a scheduled Backend Workflow and exported as a PDF from Bubble for audit documentation.
Every night at 2 AM, call ePO 'Get Policy Compliance' API, for each policy category count compliant vs non-compliant endpoints, store in Bubble PolicyCompliance record with policy_name, compliant_count, non_compliant_count, sync_date; calculate compliance_score = compliant_count / (compliant_count + non_compliant_count)
Copy this prompt to try it in Bubble
Troubleshooting
Initialize call fails with SSL certificate error or 'Unable to connect'
Cause: The ePO server uses a self-signed certificate or an internal CA certificate that Bubble's API Connector does not trust. Bubble requires a certificate from a public CA (DigiCert, Let's Encrypt, etc.) to establish an HTTPS connection.
Solution: Work with your IT team to either: (1) provision a Let's Encrypt certificate on the ePO server or reverse proxy — free and trusted by all clients including Bubble, (2) place the ePO API behind a reverse proxy (nginx, Cloudflare Tunnel) that terminates TLS with a valid public certificate and forwards requests to the internal ePO instance, or (3) for Trellix ePO Cloud deployments, confirm that the cloud URL uses a Trellix-issued public certificate.
All ePO API calls return 401 Unauthorized after the integration worked initially
Cause: The Bearer token stored in the EPOToken record has expired. When the token expires, every subsequent API call using it returns 401. This typically means the 'Refresh ePO Token' Scheduled Backend Workflow failed silently — either due to a Bubble plan downgrade disabling Backend Workflows, or the ePO /auth/token endpoint being temporarily unreachable during the refresh cycle.
Solution: Check Logs → Workflow logs in Bubble for error messages from the 'Refresh ePO Token' workflow. Confirm the app is on Starter plan or above (Settings → Plan). Manually trigger the 'Refresh ePO Token' workflow once to restore a valid token immediately. Then investigate why the scheduled refresh failed — if the ePO server was temporarily unreachable, ensure the next scheduled run is on track.
'There was an issue setting up your call' on the getEPOToken Initialize call
Cause: The ePO /auth/token endpoint is not reachable from Bubble's servers, which indicates a network or SSL issue rather than a credential issue. This happens before the credentials are even evaluated.
Solution: Test the ePO API from a public network (not corporate VPN) using a browser or Postman. If it times out, the network prerequisite is not met — the API port is not publicly accessible. If it returns an SSL error, the certificate issue needs to be resolved first. Only after confirming the API responds correctly from a public network should Bubble's API Connector be configured.
ePO system queries return different field names than expected (e.g., 'EPOComputerProperties.ComputerName' not found)
Cause: The ePO field names differ between ePO 5.x on-premise and Trellix ePO Cloud, and between different ePO versions. The Bubble API Connector detected the response fields from one ePO version, and you are now querying a different version with a different schema.
Solution: Re-initialize the API Connector call against your specific ePO instance and inspect the raw response to identify the actual field names returned. In the Bubble API Connector, delete the existing call, re-add it, use a simplified query body (request all fields with an empty select), initialize, and inspect what Bubble detects. Then adjust your repeating group and data type field mappings to match the actual ePO response.
Bubble Backend Workflow times out on large ePO system queries (30-second timeout exceeded)
Cause: ePO system queries against large deployments (10,000+ endpoints) can take longer than 30 seconds to respond, exceeding Bubble's Backend Workflow step timeout.
Solution: Add pagination to the ePO query by using 'limit' and 'offset' parameters. Chain Backend Workflows: the first workflow fetches page 1 (offset 0, limit 250), stores the results, and schedules the next workflow iteration (offset 250, limit 250) — continuing until the response returns fewer items than the limit. This distributes the work across multiple workflow executions, each well within the 30-second timeout.
Best practices
- Resolve all three infrastructure prerequisites before touching Bubble: public API accessibility, valid SSL certificate, and a confirmed test from outside the corporate VPN — otherwise Bubble configuration becomes a guessing game.
- Use a dedicated ePO service account with the minimum required permissions (read access to Systems and Threat Events only) for the Bubble integration — never use a personal admin account whose password may change or whose account may be disabled.
- Store the ePO Bearer token in a single-row Bubble data type (EPOToken) with Admin-only privacy rules, and turn off Bubble's Data API for the app — the token grants full ePO read access and must be treated as a high-value credential.
- Schedule token refresh at 80% of the token TTL (or every 50 minutes for a 60-minute TTL) with a health-check alert if the last refresh timestamp is more than 90 minutes old — silent token expiry is the most common cause of unexplained 401 errors in ePO integrations.
- Serve the security dashboard from Bubble's database (synced by a Scheduled Backend Workflow) rather than making live ePO API calls on page load — ePO queries can be slow, and direct page-load calls create one API request per visitor, which is both slow and WU-expensive.
- Add page-level access controls on the security dashboard (visible only to admin role) in addition to IdentityAlert privacy rules — defense in depth ensures sensitive endpoint security data is not accessible even if a URL is guessed.
- For large ePO deployments, paginate system queries using limit and offset parameters and chain Backend Workflow iterations — Bubble's 30-second step timeout will trigger on full-dataset queries without pagination.
- Document the ePO integration's dependency on the reverse proxy or public certificate in your Bubble app's admin notes — if IT rotates the certificate or changes the proxy configuration, the Bubble integration will break silently until the connection details are updated.
Alternatives
Norton LifeLock covers consumer identity theft monitoring and employee benefits rather than endpoint security. Norton requires a formal Gen Digital partner agreement (no self-serve); McAfee/Trellix requires an enterprise license and self-hosted ePO access. Different security domains: identity protection vs. endpoint threat detection.
Trend Micro Cloud One is a fully cloud-hosted SaaS with a self-serve API key — no self-hosted infrastructure, no VPN tunneling, and no SSL certificate challenges. If your team uses Trend Micro for workload security, the Bubble integration is dramatically simpler than McAfee ePO. Trend Micro is Intermediate difficulty; McAfee ePO is Advanced.
Use Postman to test the ePO /auth/token call and system queries before configuring Bubble. Postman's ability to handle self-signed certificates and store environment variables makes it ideal for troubleshooting the two-step ePO auth flow in isolation from Bubble's configuration.
Frequently asked questions
Does the McAfee/Trellix integration work with Trellix ePO Cloud as well as on-premise ePO?
The REST API patterns are similar, but endpoint paths and response schemas can differ between ePO 5.x on-premise and Trellix ePO Cloud. Trellix ePO Cloud has a publicly accessible HTTPS endpoint with a valid certificate, which eliminates the network access and SSL certificate prerequisites that make on-premise ePO complex. Verify the specific endpoint paths from Trellix's API documentation for your product version before configuring the Bubble API Connector.
Why can't Bubble automatically refresh the ePO Bearer token like some OAuth frameworks do?
Bubble's API Connector does not have a built-in token lifecycle concept — it stores headers as static values and does not natively implement OAuth flows or token expiry handling. The workaround is to store the token in a Bubble data type (EPOToken) and use a Scheduled Backend Workflow to refresh it on a regular interval. This achieves the same functional outcome as automatic refresh but requires explicit configuration.
What is the minimum Bubble plan for this integration?
The Starter plan or above is required. Backend Workflows — which are necessary for the token refresh mechanism, scheduled data polling, and any server-side operations — are not available on the free Bubble plan. Without Backend Workflows, the ePO integration cannot function: the token cannot be refreshed automatically, and there is no secure way to store and read the token from a protected database record.
Can Bubble receive real-time threat alerts pushed from ePO rather than polling?
ePO supports SIEM integration via syslog and third-party event forwarding, but not native webhook push to an arbitrary HTTPS URL in the same way modern SaaS tools do. Inbound webhook-style event delivery from ePO to a Bubble Backend Workflow is not a standard ePO feature. The standard Bubble pattern is polling: a Scheduled Backend Workflow queries ePO for threat events every 15–30 minutes and stores new events in Bubble's database.
Is storing ePO threat event data in Bubble's database compliant with enterprise security policies?
This depends on your organization's data classification and security policies. ePO threat event data (malware detections, affected host names, detection timestamps) may be classified as sensitive security operations data subject to data residency requirements. Before storing this data in Bubble's database, review your organization's information security policy with your CISO or compliance team. Bubble's database is hosted on AWS with encryption at rest, but your organization may require data to remain on-premise or within specific geographic boundaries.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation