Embed Preference center and Unsubscribe into my site - unique user identifier?

Your software
My Mautic version is 3.1.2:
My PHP version is: 7.3.*
My Database type and version is: mysql 8

Your problem

Figuring out a way to integrate unsubscribe && preference center into my website.

Reasoning:
a) avoid taking user to mautic domain and potentially loosing their focus on features on our site.
b) I dont want to expose hosted mautic address to limit attack surface

I was thinking I need some way to uniquely identify user when user comes to our website - so I can find them via mautic api search. I can embed user’s email into unsubscribe link going to our website’s url - and render custom unsubscribe&& preference center using api calls. However then anyone can unsubscribe anyone else’s preferences as long as they provide valid email…

There’s gotta be a better way.

I was thinking - I can add custom field to mautic with some unique user id/token populated when I add a user (via api) -> then I can use that unique number/token instead to lookup user in mautic not using their email. That will probably work ok, with caveat that I can only add users via website so unique id is always populated?

Does any one of you folks integrate it onsite? ^ is above custom field approach is the way to go? or is there a better way?

Ive traced the code in mautic - and trackingHash/idHash is being used to identify lead/contact.
Which will work just fine for me instead of reinventing the wheel with custom field.
I can then pull email lead/contact information via stats api by usign that tracking hash value.

But Is there any way I can get that value as a token in templates?

I’ve tested these and they are not working:

{idHash}
{id_hash}
{tracking_hash}

After some digging and asking in slack forum - trackingHash | idHash are not currently exposed as tokens, only tracking pixel is.
so im just gonna go the route of custom mautic field.