# Secure Tracking and Page Personalization via Subscriber Key

When a contact clicks a link from KlickTipp, you can redirect them to your website and personalize a page or prefill a form. Optionally, you can allow the contact to update their data and write changes back to KlickTipp.

To do this securely, KlickTipp provides the **Subscriber Key (Contact Key)** as a GDPR-compliant, opaque identifier designed for public links and API requests. It can be safely passed as a URL parameter and used server-side to retrieve contact data via the Management API.

The Subscriber Key does not expose any internal Subscriber IDs or system logic. It is specifically designed for secure external identification in public-facing integrations such as redirects and form prefill scenarios.

For testing purposes, you can view and verify the Subscriber Key of a contact in the contact overview within the KlickTipp user interface.

## Supported Contact Identifiers

Each contact in KlickTipp can be identified using one of two supported identifiers.

**Internal Subscriber ID**

Use the Internal Subscriber ID when the identifier is not exposed externally.

- **Type:** Numeric string
- **Example:** `987654321`


**External Subscriber Key**

Use the Subscriber Key whenever a contact must be identified in a public-facing context, such as email links, redirect URLs and form integrations.

- **Type:** Alphanumeric string
- **Example:** `01234abcdefghij56789`


The Subscriber Key is opaque and cannot be used to infer internal IDs. Use the Subscriber Key for any public URL; use the internal Subscriber ID only in backend-only contexts.

**Supported Endpoints**

Both identifiers are fully supported in the following endpoints:

- [Get Contact](/management-api#operation/api.subscriber.retrieve)
- [Update Contact](/management-api#operation/api.subscriber.update)
- [Delete Contact](/management-api#operation/api.subscriber.delete)


## Step-By-Step Instructions to use the Subscriber Key

### Step 1: Obtain the Subscriber Key

To identify the contact on your website, include the Subscriber Key as a query parameter, for example `sk`.

**Example:**


```
https://example.com/profile?sk={subscriberKey}
```

There are two entry paths. After you have the key, all server-side processing is identical.

**Rules:**

- Do not use internal Subscriber IDs in links
- Do not use email addresses as URL parameters
- Only use the Subscriber Key provided by KlickTipp


#### Custom Opt-in pages (Confirm Page and Thank-you Page)

Use this when your entry point is an opt-in process.

1. Configure your opt-in process to use a custom Confirm Page and or Thank-you Page
2. Ensure the custom Confirm/Thank-you page forwards the Subscriber Key to your website as `sk`
3. Redirect the contact to your custom page via the Opt-in Process


**Example pattern**


```
https://example.com/confirm?sk={subscriberKey}
```

#### Email editor links (campaign links)

Use this when your entry point is an email.

1. Create a link in the email editor
2. Append the placeholder as `sk=%Subscriber:SubscriberKey%` to a URL
3. Recipient clicks the link and lands on your website with `sk`.


**Example pattern**


```
https://example.com/form?sk=%Subscriber:SubscriberKey%
```

### Step 2: Extract the Subscriber Key on Your Website

Incoming request:


```
GET https://example.com/form?sk=01234abcdefghij56789
```

Pseudo-code:


```
subscriberKey = request.query.sk

if (!subscriberKey) {
    renderEmptyForm()
}
```

Validate before using:

- Check expected length
- Ensure alphanumeric format
- Reject malformed values


### Step 3: Authenticate with the KlickTipp Management API

Before accessing any contact-related endpoint of the **Management API**, you must authenticate your application.

Please refer to the [Authentication Guide](/guides/management-api-authentication) for the available authentication methods and implementation details.

### Step 4: Retrieve the Contact via Subscriber Key


```
GET /subscriber/{subscriberKey}
```

[View full API reference](/management-api#operation/api.subscriber.retrieve)

Example:


```
curl -b /tmp/kt-cookies.txt \
  -H "Accept: application/json" \
  https://api.klicktipp.com/subscriber/01234abcdefghij56789
```

Example response:


```json
{
  "id": "987654321",
  "email": "alex.example@klicktipp.example",
  "status": "Subscribed"
}
```

If no contact matches, a 404 response is returned.

### Step 5: Render the page or prefilled form server-side

Use the retrieved contact data to render HTML server-side (page personalization or form prefill).


```html
<input type="text" name="first_name" value="Alex">
<input type="text" name="last_name" value="Example">
```

Optional hidden field for forms:


```html
<input type="hidden" name="subscriber_key" value="01234abcdefghij56789">
```

Hidden fields must never be used for authorization decisions.

### Optional: Update contact data after form submission

If the contact submits changes, validate the input server-side and update the contact via the Management API using the same `{subscriberKey}`.

Update the contact via:


```
PUT /subscriber/{subscriberKey}
```

[View full API reference](/management-api#operation/api.subscriber.update)

Example using Subscriber Key:


```bash
curl -b /tmp/kt-cookies.txt \
  -H "Content-Type: application/json" \
  -X PUT https://api.klicktipp.com/subscriber/01234abcdefghij56789 \
  -d '{
        "fieldFirstName": "Alexander",
        "fieldLastName": "New Example"
      }'
```

Refer to following Guides for Field Validation and Error Handling:

- [Data Field Types and Input Formats](/guides/data-field-types)
- [Error Handling and Validation](/guides/error-handling)


Optional: After updating the contact, you may trigger automations by adding or removing tags using the corresponding tag endpoints.

## Security Considerations

### Input validation

1. Validate `sk` format before calling the API.
2. Treat URL parameters and hidden fields as untrusted input.
3. Validate and sanitize all submitted form data before updating.


### API and data handling

1. Authentication is mandatory for all subscriber operations.
2. Resolve Subscriber Keys server-side only.
3. Never expose internal Subscriber IDs in URLs or client-side code.


### Operational hardening

1. Handle API errors gracefully (for example 404 or 406).
2. Implement proper session handling and rate limiting in production.


## Summary

The Subscriber Key enables secure, GDPR-compliant identification for redirects, page personalization, and optional form updates.

Correct implementation

1. Build a link to your website that includes `sk` as a URL parameter (via email editor or opt-in pages).
2. Extract `sk` and validate the contained `subscriberKey` server-side.
3. Authenticate with the KlickTipp Management API.
4. Retrieve contact data via `GET /subscriber/{subscriberKey}`.
5. Render a personalized page or prefilled form server-side.
6. Optional: validate submitted data and update via `PUT /subscriber/{subscriberKey}`.


This allows contacts to securely update their data without exposing internal system identifiers.