GreenArrow Email Software Documentation

Create Your Own Preference Center

This not a code example of how to create your own Preference Center, but rather it is an overview of how you can use the various APIs to create your own preference center where your subscribers can adjust their custom field settings, or unsubscribe all from one central place.

To build your own preference center you will want to create a link in your GreenArrow Studio campaign that includes these replacement codes:

  • {emailaddress}
  • {unsubscribe_token}
  • {subscriber_id}
  • {mailing_list_id}

For example:

https://www.domain.com/email_preferences?subscriber_id={subscriber_id}&email={emailaddress}&unsub_token={unsubscribe_token}&mailing_list_id={mailing_list_id}

If you’d like to track more than that in your link, here is the full list of available replacment codes.

Note that the replacement code syntax with { and } only works in links. They are provided here because % is a special code that is sometimes escaped in links by HTML editing software.


With the information passed to your preference center from the link, you’ll need to set up your preference center to do the following:

  1. Get the subscriber’s current custom field data to populate the form so they can see their current settings:
    • Do this using the Get Subscriber API.
    • Use the subscriber_id and mailing_list_id to get the subscriber, and then for security verify that the email address also matches.
  2. Update the subscriber record with the new data the subscriber provided in the form:
    • Do this using the Update Subscriber API.
    • Use the subscriber_id and mailing_list_id to update the subscriber.
    • Before doing an update, you should verify that the provided emailaddress matches this subscriber_id.
  3. Unsubscribe them from the list if they choose to do that instead:
    • Do this using the Unsubscribe API.
    • Use the unsubscribe_token to update the subscriber status and associate the unsubscribe with the specific campaign.
Security Alert!

When showing data to the user and updating custom fields, check that both the email address and subscriber_id match the record.

If you only lookup based on the email address (and don’t check the subscriber_id), then you allow an attacker to query the subscription status of any email address on your list.

If you only lookup based on the subscriber_id (and don’t check the email address), then an attacker can simply increment through subscriber_id values and download your list.

This checking is not required with the Unsubscribe API, as the unsubscribe_token already includes a security code.


Copyright © 2012–2020 GreenArrow Email