# Trend Micro

- Tool: Bubble
- Difficulty: Intermediate
- Time required: 60–90 minutes
- Last updated: July 2026

## TL;DR

Connect Bubble to Trend Micro Cloud One using the API Connector with the custom api-secret-key header — not Authorization: Bearer. Generate an API key in the Cloud One console (Administration → API Keys), mark the header Private so your key stays server-side, and start querying workload inventory and security events. Regional endpoints are critical: using the wrong region returns 404 even with a valid key.

## A self-serve cloud security API — no partner program required

Of the three security platforms in the DevOps & Tools category, Trend Micro Cloud One is the most accessible for Bubble developers. Norton LifeLock requires a formal Gen Digital enterprise partnership to obtain an API key. McAfee/Trellix requires running your own ePO server, which is typically behind a corporate VPN that Bubble Cloud cannot reach. Cloud One is different: it is a fully hosted SaaS platform, and any paying subscriber can generate an API key in minutes from the Administration panel — no sales call, no partnership agreement, no infrastructure to expose.

This makes Cloud One the right choice for Bubble founders building internal security dashboards, multi-tenant security monitoring SaaS products, or compliance reporting tools on top of Trend Micro's workload protection data.

The integration itself is a clean API Connector pattern. The only non-standard element is the authentication header: Cloud One uses api-secret-key (all lowercase, hyphenated) instead of the standard Authorization: Bearer format used by most REST APIs. Configuring the wrong header name — even 'Authorization' with the correct key value — returns 401 on every request. Get the header name right first, and the rest of the integration follows standard Bubble API Connector patterns.

A second critical detail is the regional endpoint. Trend Micro Cloud One uses region-specific subdomains. A US account uses cloudone.trendmicro.com. A German account uses de-1.cloudone.trendmicro.com. An Australian account uses au-1.cloudone.trendmicro.com. Using a key from one region against another region's endpoint returns 404 — not 401 — which can be confusing because it looks like the endpoint doesn't exist rather than an authentication mismatch. Check your Cloud One console URL when logged in to identify your region.

The primary use case this guide covers: a Bubble internal security dashboard displaying workload inventory (which VMs are protected, what modules are active) and security event counts (malware detections, intrusion prevention alerts) pulled from Cloud One's Workload Security service.

## Before you start

- A Trend Micro Cloud One account with an active Workload Security subscription — API access is included in standard Cloud One plans
- Administrator access to the Cloud One console to generate an API key (Administration → API Keys → Create API Key)
- Your account's region identified from the Cloud One console URL (us-1, de-1, au-1, etc.) to determine the correct base URL
- A Bubble app on any plan (API Connector data calls work on all plans including Free); Bubble paid plan (Starter or above) is required only if you want to use Scheduled Backend Workflows for automated data refresh
- The API Connector plugin installed in your Bubble app (Plugins tab → Add plugins → search 'API Connector' by Bubble)

## Step-by-step guide

### 1. Generate a Cloud One API key with the correct scope

Log in to your Trend Micro Cloud One console at cloudone.trendmicro.com. In the top-right navigation, click your account name and select Administration. In the left sidebar, click API Keys, then click Create API Key.

In the API key creation dialog:
- Name: give it a descriptive name like 'Bubble Dashboard Integration'
- Role: select a role with at minimum Workload Security Read access. If you want Bubble to manage policies or perform actions (not just read), you may need a broader role — but for a read-only security dashboard, a read-only role limits blast radius if the key is ever exposed.
- Full access toggle: leave disabled for read-only dashboard use cases

Click Create. Cloud One displays the API key value — copy it immediately and store it in a password manager. Cloud One only shows the full key at creation time. If you close this dialog without copying it, you must delete the key and create a new one.

Also note your Cloud One account's region from the console URL:
- cloudone.trendmicro.com → US region (base URL: https://cloudone.trendmicro.com/api)
- de-1.cloudone.trendmicro.com → Germany (base URL: https://de-1.cloudone.trendmicro.com/api)
- au-1.cloudone.trendmicro.com → Australia (base URL: https://au-1.cloudone.trendmicro.com/api)
- sg-1.cloudone.trendmicro.com → Singapore (base URL: https://sg-1.cloudone.trendmicro.com/api)

Write down your base URL — you will need it in the next step. Using a US-account key against a DE endpoint (or vice versa) returns 404 Not Found, which looks like the endpoint doesn't exist rather than an authentication problem.

**Expected result:** You have the Cloud One API key value copied to a password manager and know your account's regional base URL (e.g., https://cloudone.trendmicro.com/api for US accounts).

### 2. Configure the API Connector with the api-secret-key Private header

In your Bubble editor, click the Plugins tab in the left sidebar. Click 'Add plugins', search for 'API Connector' (by Bubble), and install it — it is free and available on all Bubble plans. Click 'API Connector' in your Plugins list.

Click 'Add another API' and name it 'Trend Micro Cloud One'. In the base URL field at the group level, enter your regional base URL — for US accounts: https://cloudone.trendmicro.com/api

Now configure the shared headers. These headers will apply to every call in this API Connector group. Click 'Add header' twice to add two headers:

Header 1:
- Key: api-secret-key
- Value: (paste your Cloud One API key here)
- Private checkbox: CHECK THIS. This is the most important step. The Private flag tells Bubble to keep this header value server-side only — it will not appear in browser network traffic, Bubble's Logs tab, or the Bubble debugger output. Your Cloud One API key stays on Bubble's servers.

Header 2:
- Key: api-version
- Value: v1
- Private checkbox: leave unchecked (this value is not sensitive)

The api-version: v1 header pins your calls to Cloud One's current stable API version. Without it, some endpoints may return response format variations across API versions.

Important: do NOT use 'Authorization' as the header name. Do NOT use 'Bearer' as a prefix before the key value. Trend Micro Cloud One requires the exact header name api-secret-key with the raw key value — no prefix, no Bearer, no 'token' keyword. This differs from virtually every other REST API in this category and is the single most common setup mistake.

```
{
  "base_url": "https://cloudone.trendmicro.com/api",
  "shared_headers": {
    "api-secret-key": "<your-cloud-one-api-key - Private>",
    "api-version": "v1"
  }
}
```

**Expected result:** The 'Trend Micro Cloud One' API group appears in the API Connector with two shared headers: api-secret-key (shown as masked/Private) and api-version: v1. The base URL is set to your regional endpoint.

### 3. Initialize a test call to verify authentication

Before building your workload inventory calls, verify authentication with a simple initialize call. Click 'Add another call' under the Trend Micro Cloud One API group. Name it 'Get API Metadata'. Set the method to GET. For the URL, enter (relative to base URL): /administration/apikeys — this endpoint lists your API keys and confirms the connection.

Alternatively, use the computers search endpoint for a more practical initialize: name it 'Search Computers', set the method to POST, URL = /workloadsecurity/computers/search, set 'Use as' to 'Data'. For the request body, use JSON body type and enter: {"maxItems": 10}

Click 'Initialize call', then click 'Send'. Bubble will attempt the POST and wait for a real response from Cloud One.

A successful response (HTTP 200) returns a JSON object with a 'computers' array and a 'totalNumberOfItems' count. Bubble will detect fields from the first computer object — including displayName, displayNameSource, platform, agentVersion, and nested status objects for each security module (antiMalware.state, webReputation.state, firewall.state, intrusionPrevention.state).

If the call returns 401 Unauthorized: the api-secret-key header value is wrong or the Private header was misconfigured. Return to Step 2 and verify the header name is exactly api-secret-key (lowercase, hyphenated) and the value is the raw API key with no prefix.

If the call returns 404 Not Found: your base URL region is wrong for this account. Check your Cloud One console URL and update the base URL in the API Connector group.

If you see 'There was an issue setting up your call' without an HTTP status: Bubble could not reach the endpoint at all — verify the base URL has no trailing slash and the /workloadsecurity/computers/search path is correct.

```
{
  "method": "POST",
  "url": "https://cloudone.trendmicro.com/api/workloadsecurity/computers/search",
  "headers": {
    "api-secret-key": "<your-key - Private>",
    "api-version": "v1",
    "Content-Type": "application/json"
  },
  "body": {
    "maxItems": 10
  }
}
```

**Expected result:** The POST /workloadsecurity/computers/search call returns HTTP 200 with a 'computers' array. Bubble detects fields including displayName, platform, and module status fields. You can see the totalNumberOfItems count confirming your workload count.

### 4. Build the workload inventory page with protection module status

With authentication working, build the main workload inventory page. This page lists all protected workloads and shows the status of each Workload Security protection module per machine.

In the Bubble editor, add a Repeating Group to your page. Set the Repeating Group's Type of content to 'Search Computers' (the data type Bubble detected from your initialize call). Set Data source to 'Get data from an external API' → select 'Trend Micro Cloud One - Search Computers'. For the body parameter maxItems, enter 250 (Cloud One returns up to 250 computers per call; for larger environments, you will need pagination using the searchAfter cursor).

Inside the Repeating Group cells, add the following elements:
- Computer name text: Current cell's Search Computers → displayName
- Platform badge: Current cell's Search Computers → platform (shows 'linux', 'windows', etc.)
- Anti-malware status: Current cell's Search Computers → antiMalware → state (values: 'on', 'off', 'not_installed')
- Intrusion prevention status: Current cell's Search Computers → intrusionPrevention → state
- Agent version text: Current cell's Search Computers → agentVersion

For status badges, use conditional formatting on a Text or Shape element:
- Condition: 'Current cell's Search Computers antiMalware state = on' → background color Green
- Condition: 'Current cell's Search Computers antiMalware state = off' → background color Orange  
- Condition: 'Current cell's Search Computers antiMalware state = not_installed' → background color Red

Note on nested fields: Cloud One's response nests module status inside objects (e.g., antiMalware is an object with a 'state' key). During initialization, Bubble may flatten these as 'antiMalware.state' or create a nested data type. If you see 'antiMalware' as a data type rather than a direct field, use 'Current cell's Search Computers → antiMalware → state' with chained field references. Re-initialize the call if the fields were not auto-detected correctly.

Add a summary line above the Repeating Group showing total protected workloads: use 'Get data from an external API' → Search Computers → totalNumberOfItems.

**Expected result:** The Repeating Group displays your protected workloads with their names, platforms, and anti-malware/intrusion prevention status badges color-coded by protection state. Total workload count is visible above the list.

### 5. Query security events with Unix millisecond timestamp filters

Cloud One's event endpoints are separate from the computer inventory endpoint and use Unix millisecond timestamps (not ISO date strings) for time filtering. This is the second most important integration detail after the header name.

Create a new API Connector call under the Trend Micro Cloud One group:
- Name: Search Antimalware Events
- Method: POST
- URL: /workloadsecurity/events/antimalware/search
- Use as: Data
- Body type: JSON body

The body structure for a 7-day lookback:
```json
{
  "maxItems": 100,
  "searchCriteria": [
    {
      "fieldName": "logDate",
      "numericValueTest": "greater-than",
      "numericValue": 1234567890000
    }
  ]
}
```

The numericValue is a Unix timestamp in milliseconds (13 digits). For the initialize call, use a real past timestamp — for example, 7 days ago in milliseconds. You can calculate this: current Unix time in ms minus 604800000 (7 days × 24h × 3600s × 1000ms).

Bubble does not have a built-in 'Convert date to Unix milliseconds' expression. To generate the timestamp dynamically in a workflow, use the 'Run JavaScript' action (requires the Toolbox plugin from Bubble's Plugin Marketplace, free to install):

In a JavaScript action, write:
```javascript
bubble_fn_result(new Date().getTime() - (7 * 24 * 60 * 60 * 1000));
```

This returns the timestamp 7 days ago in milliseconds. Store this number in a Bubble custom state of type Number, then pass it to the searchCriteria numericValue parameter in the API call.

For intrusion prevention events, create a parallel call named 'Search IPS Events' targeting /workloadsecurity/events/intrusionprevention/search with the same body structure. The IPS event fields differ (protocol, destinationPort, etc.) but the searchCriteria format is identical.

```
{
  "method": "POST",
  "url": "https://cloudone.trendmicro.com/api/workloadsecurity/events/antimalware/search",
  "headers": {
    "api-secret-key": "<your-key - Private>",
    "api-version": "v1",
    "Content-Type": "application/json"
  },
  "body": {
    "maxItems": 100,
    "searchCriteria": [
      {
        "fieldName": "logDate",
        "numericValueTest": "greater-than",
        "numericValue": "<unix_ms_timestamp - dynamic>"
      }
    ]
  }
}
```

**Expected result:** The Search Antimalware Events call returns a JSON response with an 'events' array and 'totalNumberOfItems'. Bubble detects event fields including hostName, malwareName, logDate, and action. The call correctly filters events newer than the provided Unix millisecond timestamp.

### 6. Add a Scheduled Backend Workflow for automated data refresh and set Privacy Rules

For a production security dashboard, you want data to refresh automatically rather than making Cloud One API calls on every page load for every user. This requires a Bubble Scheduled Backend Workflow — available on Bubble's Starter plan and above (not the Free plan).

First, create a Bubble data type to cache event summary data. In the Data tab → Data types, add a new type called 'SecuritySummary' with fields:
- summary_date (date)
- malware_event_count (number)
- ips_event_count (number)
- workload_count (number)
- last_refreshed (date)

Navigate to the Backend Workflows section (in the Bubble editor top menu → click the hamburger / more options → Backend Workflows, or access via the Workflow tab → Backend Workflows depending on your Bubble editor version). Create a new API Workflow named 'Refresh Security Data'.

In this workflow, add steps:
1. Call 'Trend Micro Cloud One - Search Antimalware Events' with a 1-hour lookback timestamp → store totalNumberOfItems result
2. Call 'Trend Micro Cloud One - Search IPS Events' with a 1-hour lookback timestamp → store totalNumberOfItems result
3. Call 'Trend Micro Cloud One - Search Computers' → store totalNumberOfItems as workload count
4. Create or update a SecuritySummary record with today's date, the event counts, and current timestamp as last_refreshed

To schedule this workflow: in Settings → API, enable 'This app exposes a Workflow API'. Then go to your Backend Workflows list → find 'Refresh Security Data' → set it to run on a schedule (every 60 minutes).

For Privacy Rules: go to Data tab → Privacy. For the SecuritySummary data type, add a privacy rule: 'When Current User is logged in → Allow read access'. This prevents unauthenticated users from querying your security event data via Bubble's Data API. All security data — even aggregate counts — should be behind authentication.

RapidDev's team has built dozens of security and compliance dashboards on Bubble with API integrations like this — if you need help with multi-region deployments or complex event filtering logic, book a free scoping call at rapidevelopers.com/contact.

**Expected result:** The 'Refresh Security Data' Backend Workflow runs on a schedule (every 60 minutes) and updates the SecuritySummary record in Bubble's database. The dashboard page reads from the Bubble database instead of calling Cloud One directly, keeping page loads fast and WU costs low. SecuritySummary data is protected by Privacy Rules requiring user authentication.

## Best practices

- Always mark the api-secret-key header as Private in the API Connector — Cloud One API keys have broad access to your security posture data, and keeping the key server-side prevents it from appearing in browser network inspector, Bubble's Logs tab, or the Bubble debugger.
- Use a read-only Cloud One API key role (Workload Security Read) for a dashboard-only integration — never use a full-access key for a Bubble app unless the app needs to modify security policies, which dramatically increases risk if a Bubble misconfiguration exposes the key.
- Match the API Connector base URL to your Cloud One account's region — verify your region from the Cloud One console URL (US: cloudone.trendmicro.com, DE: de-1.cloudone.trendmicro.com) before configuring the Bubble connector.
- Set Privacy Rules in Bubble's Data tab for every data type that stores Cloud One security data — security event counts, workload names, and protection status are sensitive operational data that should require user authentication to view.
- Cache security event counts in a Bubble database table refreshed by a Scheduled Backend Workflow every 30-60 minutes, rather than calling the Cloud One event search endpoints on every user's page load — this keeps WU costs predictable and page loads fast.
- Use the maxItems parameter on every computers/search and events search call — Cloud One will return a default page size if omitted, but explicitly setting it prevents unexpected response truncation and keeps response sizes predictable for Bubble's JSON parsing.
- Pin the api-version: v1 header on all Cloud One API calls — this ensures your Bubble integration continues to work even if Cloud One releases a v2 API with different response shapes, avoiding unexpected breakage from API version changes.
- Test your Cloud One API key permissions in the Cloud One console's API Key management panel before integrating with Bubble — verify the key's role covers the specific services and operations you need (Workload Security, Container Security, etc.) to avoid 403 errors in production.

## Use cases

### Build an internal workload security dashboard in Bubble

Display all protected workloads (virtual machines, cloud instances) with their protection module status in a Bubble Repeating Group. Show which workloads have anti-malware active, which have intrusion prevention enabled, and which are offline. Filter by protection status to quickly identify unprotected assets — all without logging into the Cloud One console.

Prompt example:

```
On page load, call POST /workloadsecurity/computers/search with body {"maxItems": 100} and display each computer's displayName, platform, and antiMalware.state in a Repeating Group. Color the state badge green for On, red for Off, and grey for Not Installed.
```

### Create a security event summary report page

Pull malware detection events and intrusion prevention alerts from the past 7 days, store the counts in a Bubble database, and display a summary dashboard with event trend counts by day. Use a Scheduled Backend Workflow to refresh the data every hour so users see near-real-time event counts without incurring WU costs on every page load.

Prompt example:

```
Create a Bubble data type EventSummary with fields: event_date (date), malware_count (number), ips_count (number). Run a Scheduled Backend Workflow every 60 minutes that calls POST /workloadsecurity/events/antimalware/search with a 24-hour time window and stores the result count in today's EventSummary record.
```

### Alert a Bubble team on new critical security events

Use a Scheduled Backend Workflow to check for high-severity Cloud One events every 30 minutes. When new critical events are detected, trigger a Bubble workflow that sends an email to the security team via the SendGrid integration or posts a notification to a Slack channel via Bubble's API Connector.

Prompt example:

```
Every 30 minutes, call POST /workloadsecurity/events/antimalware/search filtering for severity >= High in the last 30-minute window. If the response's totalNumberOfItems is greater than 0, trigger the SendGrid email action to notify the security team with event count and top affected hostnames.
```

## Troubleshooting

### Every Cloud One API call returns 401 Unauthorized, even after entering the correct API key

Cause: The header name is wrong. The most common mistake is using 'Authorization' or 'X-API-Key' as the header name instead of the required 'api-secret-key'. A second possibility is the Private checkbox was clicked but not saved — the value looks masked but the header was reverted on browser refresh.

Solution: Go to the API Connector → Trend Micro Cloud One group → Shared headers. Verify the header Key field reads exactly 'api-secret-key' (all lowercase, hyphenated, no spaces). Verify the Value field shows '••••••••' confirming the Private flag is saved. If the value is visible rather than masked, click the Private checkbox again and save. Also confirm there is no 'Bearer' or 'token' prefix before the API key value — Cloud One requires the raw key with no prefix.

### API calls return 404 Not Found for all Cloud One endpoints, including the computers/search endpoint

Cause: The regional endpoint in the API Connector base URL does not match the region of the Cloud One account that generated the API key. A US-account key used against de-1.cloudone.trendmicro.com returns 404. This looks like a missing endpoint but is actually a region mismatch.

Solution: Log in to your Cloud One console and check the URL in your browser address bar. The subdomain indicates your region: cloudone.trendmicro.com = US, de-1.cloudone.trendmicro.com = Germany, au-1.cloudone.trendmicro.com = Australia. Update the API Connector group's base URL to match your actual region. Re-initialize all calls after changing the base URL.

### 'There was an issue setting up your call' during Initialize — no HTTP status shown

Cause: The initialize call was sent without a required JSON body (the computers/search endpoint requires a POST body with at minimum {"maxItems": N}) or the Body Type is set to something other than JSON body for a POST call.

Solution: In the API Connector call configuration, ensure Body Type is set to 'JSON body'. In the body field, enter at minimum {"maxItems": 10}. Do not leave the body empty for POST calls to Cloud One — an empty body causes a parsing error on the Cloud One side that Bubble receives as a malformed response, triggering the 'issue setting up your call' error rather than a clean HTTP error code.

```
{
  "maxItems": 10
}
```

### Security event search calls return 0 results even though events exist in the Cloud One console

Cause: The Unix millisecond timestamp in the searchCriteria numericValue is too recent (e.g., a timestamp from 1 minute ago when events only exist from hours ago), OR the timestamp is in seconds rather than milliseconds (10-digit Unix timestamp instead of 13-digit millisecond timestamp).

Solution: Verify the timestamp is 13 digits (milliseconds, not seconds). In the Cloud One console, go to Events → Antimalware and note the timestamp of a known recent event. Calculate the equivalent Unix millisecond timestamp for a period before that event and use it in the searchCriteria. When using Bubble's Toolbox 'Run JavaScript' to generate timestamps, confirm the returned value is 13 digits: new Date().getTime() returns milliseconds; Math.floor(Date.now() / 1000) returns seconds — use the first form only.

```
// Correct: milliseconds (13 digits)
var sevenDaysAgo = new Date().getTime() - (7 * 24 * 60 * 60 * 1000);
bubble_fn_result(sevenDaysAgo);

// Incorrect: seconds (10 digits) - do not use
var sevenDaysAgoSeconds = Math.floor(Date.now() / 1000) - (7 * 24 * 60 * 60);
```

### Backend Workflows section is not available in the Bubble editor

Cause: Backend Workflows (also called API Workflows) require a paid Bubble plan (Starter or above). The Free plan does not include Backend Workflow access, so the 'Schedule API workflow' option and the Backend Workflows section of the editor are hidden.

Solution: Upgrade your Bubble app to the Starter plan or above to access Backend Workflows and scheduled automation. On the Free plan, you can still use the API Connector for on-demand data calls (displaying Cloud One data when users visit a page), but you cannot run automated hourly refreshes or set up a 'Workflow API' endpoint to receive event notifications.

## Frequently asked questions

### Do I need a Trend Micro partner agreement to get a Cloud One API key?

No. Unlike Norton LifeLock, which requires a formal Gen Digital enterprise partnership, Trend Micro Cloud One is a self-serve SaaS platform. Any paying Cloud One subscriber can generate an API key from Administration → API Keys in the Cloud One console — no sales call or partnership agreement required. The API is available on all Cloud One plans.

### Why does Trend Micro use api-secret-key instead of the standard Authorization: Bearer header?

Trend Micro Cloud One uses its own custom authentication header name (api-secret-key) across all Cloud One services for consistency within its platform. This differs from the REST API conventions used by most other services (Authorization: Bearer). The authentication is functionally equivalent — the key is validated on Trend Micro's servers — but the header name must match exactly. Bubble's API Connector supports any custom header name; just enter api-secret-key in the Key field.

### Can Bubble receive real-time Cloud One security alerts as they happen?

Not directly via webhooks in the standard Cloud One setup. Cloud One supports Syslog output and integrations with SIEM platforms (Splunk, QRadar), but does not have a native webhook-to-any-URL feature for Workload Security events. The practical Bubble pattern is scheduled polling: a Backend Workflow runs every 30-60 minutes and queries the events API for new entries. For true real-time alerting, consider routing Cloud One Syslog output to a SIEM or log aggregator that can forward to Bubble's Backend Workflow endpoint.

### Does a Bubble Free plan work for this Trend Micro integration?

Partially. The API Connector data calls (displaying workload inventory and security events on page load) work on Bubble's Free plan. What does not work on Free is Scheduled Backend Workflows — so you cannot set up automated hourly data refreshes. On the Free plan, the Cloud One API is called fresh on each user's page load, which works fine for personal or small-team dashboards but consumes more WU for high-traffic apps.

### My Cloud One API key works in another tool but returns 404 in Bubble — what is wrong?

Almost certainly a regional endpoint mismatch. The key is valid, but the Bubble API Connector's base URL points to the wrong regional Cloud One subdomain. Check your Cloud One console URL: the subdomain before .cloudone.trendmicro.com tells you your region (de-1, au-1, sg-1, etc.). Update the Bubble API Connector group's base URL to match. US-region accounts use cloudone.trendmicro.com (no prefix).

### How do I handle a large fleet of workloads (500+ machines) in Bubble?

Cloud One's computers/search endpoint accepts a maxItems parameter (up to 250 per call) and returns a 'lastId' cursor for pagination. For fleets over 250 workloads, use a Bubble Backend Workflow to make multiple paginated calls: first call with {"maxItems": 250}, store the returned lastId, make a second call with {"maxItems": 250, "searchAfter": [lastId]}, and repeat until the returned list is smaller than maxItems. Store all results in a Bubble database table. This pattern requires a paid Bubble plan for Backend Workflows.

---

Source: https://www.rapidevelopers.com/bubble-integrations/trend-micro
© RapidDev — https://www.rapidevelopers.com/bubble-integrations/trend-micro
