Public Endpoints | Owlat Docs

These routes are public-facing and usually accessed from email links or embedded forms.

Health check

GET /api/v1/health

Tracking

GET /t/o/:emailSendId (open pixel)
GET /t/c/:emailSendId/:encodedUrl (click redirect + tracking)

Unsubscribe

POST /unsub/:token (RFC 8058 one-click unsubscribe)
GET /unsub/verify/:token (validate token and fetch page context)

Preference center

GET /prefs/verify/:token
POST /prefs/update/:token

List double opt-in

GET /confirm/list/verify?token=...
POST /confirm/list?token=...

Form submission

POST /forms/:formId

Campaign archive

GET /archive/:token — returns the archived HTML snapshot of a sent campaign

Public-facing endpoint for "View in Browser" links. Returns the campaign content as it appeared at send time.

Response:

{
  "html": "<html>...</html>",
  "subject": "Our biggest sale of the year",
  "sentAt": "2026-03-10T14:30:00Z",
  "organizationName": "Acme Inc."
}

The archive token is unique per campaign and included in the email's "View in Browser" link. Archive endpoints are rate limited and CORS enabled.

GET /share/:token — returns the HTML snapshot of a shared email template preview

Public-facing endpoint for expiring share links created from the email editor. Returns the email content as it appeared when the link was created. Links expire after 48 hours.

Responses:

200 OK — valid share link

{
  "html": "<html>...</html>",
  "subject": "Welcome to our product",
  "previewText": "Here's what you need to know",
  "organizationName": "Acme Inc.",
  "expiresAt": 1742486400000
}

404 Not Found — token is invalid or link has been revoked
410 Gone — link has expired (48-hour window passed)

The share token is a 24-character random string. Share link endpoints use Cache-Control: no-store (unlike archive endpoints) since the content expires.

Notes

CORS is enabled where required for browser-based flows
Public endpoints are rate-limited by IP
Tokenized endpoints return structured JSON for invalid/expired tokens