How much does the WhatsApp Profile API cost?

There are four tiers: BASIC is free with 50 requests/month, PRO is $35/month for 10,000 requests, ULTRA is $139/month for 50,000 requests, and MEGA is $449/month for 500,000 requests. Pay-As-You-Go credits are also available from $40 per 50,000 requests with crypto or $50 via PayPal.

What information does the API return?

The API returns whether a number is registered on WhatsApp, the public profile picture URL, the display name, the about/status text, and flags for WhatsApp Business and Enterprise accounts. Fields return null when the target user has restricted visibility in their WhatsApp privacy settings.

Does the lookup notify the target WhatsApp account?

No. The lookup is silent. It does not trigger the 'online' status, blue ticks, or any notification. It performs a directory-level existence query plus a read of public profile data the target has chosen to expose.

Can I access the API through RapidAPI or Apify?

Yes. The same JSON response is available on three channels: direct purchase (lowest per-request price), RapidAPI marketplace (fastest setup), and Apify Actor (no-code friendly). Direct purchase typically saves ~20% versus the equivalent RapidAPI-channel usage.

Will using whatsapp-web.js or Baileys definitely get my number banned?

Not definitely, but the risk is real and unpredictable. Both libraries automate the consumer app, which violates WhatsApp's Terms of Service, and both projects say so in their own documentation. Some accounts run for months; others are banned within a week. Detection is ML-based, not a fixed rule, so there's no safe threshold. The only route with zero ToS risk is the official WhatsApp Business / Cloud API through Meta or a certified BSP.

Is there a safe daily message limit on a personal WhatsApp account?

No published cap exists, because volume is not the main signal - who you message is. Messaging saved contacts who reply is far safer than cold-messaging strangers, regardless of count. Two hundred messages to engaged contacts can be fine, while thirty cold messages to non-contacts can flag you. Community warming practice suggests staying low (around 20-50/day) on fresh numbers and ramping over 2-4 weeks, but that's a heuristic, not an official limit.

What is a WhatsApp shadow ban and how do I know if I have one?

WhatsApp doesn't officially use the term 'shadow ban.' Functionally it's a throttling or restriction state: your messages stop getting the second delivered checkmark across multiple contacts, or you stop receiving messages, without any explicit ban notice. If you notice these symptoms, stop all cold outreach, slow down sharply, and shift to two-way conversations with people who actually reply.

What's the difference between Quality Rating and messaging tiers on the official API?

Messaging tiers cap how many unique customers you can message in 24 hours - from 250 for new numbers up to unlimited at Tier 4. Quality Rating (green/yellow/red) reflects how recipients react to you, driven mainly by blocks and reports. Good quality unlocks tier upgrades (reach 500+ unique users in 7 days to auto-advance); a red rating blocks advancement. Meta has also been moving these limits to apply per Business Portfolio rather than per individual number, so check WhatsApp Manager to see how your account is scoped.

How do opt-in rules and the 24-hour window work?

On the official platform you must get opt-in before messaging: the person must have given you their number and explicitly agreed to receive WhatsApp messages, with your business clearly named. Business-initiated conversations require a pre-approved template. Once a user messages you, the 24-hour customer-service window lets you send free-form service replies without a template; promotional content can still require a marketing template and is subject to the per-user marketing frequency cap. After the window expires, any business-initiated message needs a template plus valid opt-in. Honoring opt-outs immediately keeps your block rate - and your rating - healthy.

I got banned. Can I recover the account?

It depends on the ban. Temporary bans usually clear after a wait and are often resolved by uninstalling any unofficial or mod client and using the official app. Permanent bans require requesting a review in-app or via WhatsApp support with context about your usage, but reinstatement is not guaranteed. For the Business API, recovery means fixing the quality issues and policy violations that caused the problem, then rebuilding your tier.

Home
/
Blog
/
How to Avoid Getting Banned on WhatsApp: A Developer Guide

Guides

11 min read Jun 3, 2026

How to Avoid Getting Banned on WhatsApp: A Developer Guide

Name: WhatsApp Profile API
Availability: InStock
Rating: 4.5 (162 reviews)
Author: Eduardo Airaudo

Why WhatsApp bans automated accounts, what detection signals matter, and how to stay compliant with warming, rate limits, opt-in rules, and the official Cloud API.

Key takeaways

Using whatsapp-web.js or Baileys against the consumer app violates WhatsApp's Terms of Service and carries real, non-deterministic ban risk - the only zero-ToS-risk route is the official WhatsApp Business / Cloud API via a Meta-certified BSP.
Bans are driven by ML heuristics, not a fixed message cap. The strongest signal is WHO you message (strangers vs. saved contacts) and your block/report rate - not raw volume.
Number 'warming' is a community practice, not an official Meta program: ramp slowly over 2-4 weeks, prioritize two-way conversations, and avoid robotic fixed-interval sending.
On the official API, mind your Quality Rating (green/yellow/red), messaging tiers, the 24-hour customer-service window, and mandatory opt-in before any business-initiated message - and note that marketing content can still need a template even inside that window.
Vet your dependencies: a poisoned npm fork of Baileys ('lotusbail') stole auth tokens and backdoored accounts - supply-chain hygiene is part of ban avoidance.

Why WhatsApp Bans Accounts in the First Place

WhatsApp's Terms of Service prohibit non-personal, bulk, and automated messaging on the consumer app, as well as the use of unofficial or modified clients. That's the root cause behind almost every ban developers run into. The consumer app explicitly targets modded clients - GB WhatsApp, WhatsApp Plus, YoWhatsApp, and FM WhatsApp - and accounts caught using them are frequently banned permanently and without warning.

The same logic extends to libraries. Popular open-source tools like whatsapp-web.js and Baileys are powerful and widely used, but they drive either WhatsApp Web or the underlying multi-device protocol - meaning they automate the consumer app. By design, that violates the ToS, and both projects say so plainly in their own READMEs. whatsapp-web.js states it is unofficial and that it is 'not guaranteed you will not be blocked'; Baileys notes it is not affiliated with WhatsApp and discourages bulk, automated, or stalkerware-style use.

The one Meta-sanctioned route to automation is the official WhatsApp Business Platform (the Cloud API), accessed directly through Meta or a Meta-certified Business Solution Provider (BSP). Everything else puts the ban risk - and the legal responsibility - squarely on the operator. This isn't a moral lecture; it's the practical reality that determines whether your project survives past launch week.

The honest baseline

Running whatsapp-web.js or Baileys against a regular WhatsApp account is against WhatsApp's ToS and can get the number banned at any time. The techniques below reduce risk; they cannot eliminate it. Only the official Cloud API carries zero ToS risk.

What Detection Actually Looks At

Bans on unofficial libraries are unpredictable. One account runs clean for months; another gets banned within a week doing the same thing. That's because detection is heuristic and ML-based, not a single hard rule. There is no public list of triggers, but multiple 2025-2026 industry reports converge on the same set of signals. Treat these as informed community observation, not Meta-published documentation.

Signal	What raises risk	Why it matters
Reply ratio	Low inbound replies (one cited heuristic: under ~10%)	Real conversations are two-way; a wall of unanswered outbound looks like spam
Contact-graph distance	Messaging strangers / non-saved contacts	Cold outreach to people who never had your number is the single biggest flag
Temporal pattern	Robotic fixed intervals (e.g. exactly every 10s)	Humans are irregular; clockwork timing reads as a bot
Block / report rate	Spikes in blocks or 'report spam'	Direct negative user feedback degrades standing fast
Protocol fingerprint	Forked / outdated clients emulating WhatsApp Web	When Meta updates the protocol, stale connections are detected quickly

A frequently repeated figure claims that around 68% of surveyed Indian businesses using unofficial automation reported at least one ban within 12 months. That number is vendor-sourced - treat it as illustrative of the risk profile, not as an authoritative statistic. The takeaway that does hold up across every source: adding random delays does not mask the protocol fingerprint. Obfuscating timing buys little if the underlying connection already looks unofficial.

Number Warming: A Community Practice, Not a Meta Feature

'Warming' a number means starting slow and ramping activity gradually so a fresh account looks like an organic human rather than a freshly provisioned bot. It is a community best practice, not an official Meta program - you won't find it documented anywhere by WhatsApp. With that caveat, the patterns developers report as lower-risk are consistent enough to be useful.

Start small: many practitioners cite 20-50 messages a day in week one, or even just 10-20 short two-way chat rounds.
Ramp gradually over roughly 2-4 weeks; accounts tend to stabilize after about 20-30 days of clean activity.
Common early-phase caps cited: no more than ~2 messages per minute, under ~6 hours of activity per day, and not running 3 days straight in the first week.
Prioritize conversations with people who reply. A handful of genuine back-and-forth threads is worth more than hundreds of one-way blasts.
Vary your timing and content. Identical messages sent on a fixed clock are the easiest pattern to flag.

The nuance most guides get wrong

There is no published daily message cap on the consumer app because the signal is WHO you message, not how many. Two hundred messages to saved contacts who reply can be fine, while thirty cold messages to strangers can flag you. Focus on contact-graph quality, not a magic number.

Official API Limits and Quality Rating

If you switch to the official WhatsApp Business Platform, the rules become concrete and documented - which is exactly the point. Instead of guessing at heuristics, you operate within published messaging tiers and a transparent Quality Rating. These are official Meta facts, not community lore.

Tier	Unique customers per 24h (business-initiated)
New number	250 (can move to 1,000)
Tier 1	1,000
Tier 2	10,000
Tier 3	100,000
Tier 4	Unlimited

How these limits are priced

Tiers cap how many unique customers you can open conversations with in 24 hours - not your bill. Billing has historically been per conversation, grouped by category (marketing, utility, authentication, service). Meta announced a shift toward per-message pricing for template messages starting in 2025, so model your costs against the category mix and current rate card for your destination countries rather than a flat per-message rate.

To move up, send business-initiated messages to 500+ unique users within a rolling 7-day window while maintaining good quality; the platform typically auto-upgrades in about 24-48 hours. Quality Rating is color-coded - Green (high), Yellow (medium), Red (low) - and is driven mainly by blocks, reports, and user feedback. Under Meta's current quality-based policy, a Red rating blocks tier advancement; downgrades and restrictions are tied to sustained low quality and policy violations rather than a single dip, which gives you a window to recover before limits tighten.

Two further rollout changes are worth tracking. Meta has been moving messaging limits to apply per Business Portfolio (Business Manager) rather than per individual phone number, so numbers in the same portfolio share its highest achieved limit - check your WhatsApp Manager to confirm how your account is currently scoped. Separately, a per-user marketing frequency cap means even opted-in users may have marketing messages withheld if they've recently received too many marketing messages across all businesses. Rollout dates for both have shifted over time, so treat the mechanics as the durable lesson: quality and restraint pay off directly.

Shadow Bans, Throttling, and Restrictions

WhatsApp doesn't officially use the term 'shadow ban,' so it's worth being precise. What people call a shadow ban is functionally a throttling or restriction state: your messages stop getting the second (delivered) checkmark across multiple contacts, or you simply stop receiving messages. These are signs of being silently restricted rather than an explicit ban notice.

Delivered checkmarks (the second tick) stop appearing for many recipients at once.
Incoming messages dry up even though contacts say they're sending.
New chats with non-contacts fail to deliver while existing threads still work.
A sudden drop in reply rate without any change on your end.

One reported 2026 mechanic - again vendor-sourced, not officially documented - is that WhatsApp tracks unanswered messages (sent with no reply within 48 hours) and that crossing a threshold can trigger messaging restrictions. Whether or not the specific number is accurate, it reinforces the same lesson the official quality rating already teaches: one-way blasting to people who never engage is the behavior most likely to get you throttled. If you suspect throttling, slow down dramatically, lean on two-way conversations, and stop any cold outreach immediately.

Don't Get Banned by Your Own Dependencies

Ban avoidance isn't only about behavior - it's also about what code you trust. On December 22, 2025, The Register reported a malicious npm package called 'lotusbail,' a fork of @whiskeysockets/baileys that had racked up 56,000+ downloads over roughly six months. It stole WhatsApp auth tokens, intercepted all messages, harvested contact lists, exfiltrated media, and backdoored accounts via device pairing - persisting even after uninstall - all behind four layers of obfuscation.

A compromised account is a banned account waiting to happen: stolen sessions get used for spam, your contacts report you, and the number is gone. The defense is basic supply-chain hygiene - verify you're installing the canonical package, not a typosquatted or forked clone.

BASH

# Correct, canonical Baileys (current npm name)
npm install baileys

# whatsapp-web.js canonical package
npm install whatsapp-web.js

# Before installing anything WhatsApp-related, inspect it
npm view baileys repository.url   # should resolve to WhiskeySockets/Baileys
npm view <package> maintainers     # sanity-check the publisher

Pin versions, audit transitive dependencies, and be suspicious of any package promising 'undetectable' bulk sending - that's a red flag for both malware and ToS-violating risk. The canonical repos are github.com/WhiskeySockets/Baileys (MIT) and github.com/pedroslopez/whatsapp-web.js (Apache-2.0).

Recovery and the Compliant Path Forward

If you do get hit, recovery depends on the ban type. Temporary bans usually clear after a wait, and are often resolved simply by uninstalling any unofficial or mod client and switching to the official app. Permanent bans require requesting a review in-app ('Request a Review' / Support) or via WhatsApp support, with context about your usage - though there's no guaranteed reinstatement. For the Business API, recovery means fixing the underlying quality issues and addressing any policy violations to restore your tier.

The clearest decision point is what you're building for. The table below frames the honest trade-off between the unofficial libraries and the official platform.

Factor	Unofficial libraries (whatsapp-web.js / Baileys)	Official Cloud API (via Meta / BSP)
ToS status	Violates ToS by design	Fully sanctioned
Ban risk	Real and non-deterministic	None for ToS; quality rating still applies
Limits	Unwritten, heuristic	Published tiers (250 to unlimited)
Cost	Free libraries, but hidden ban cost	Per-conversation / per-message pricing, predictable
Best for	Prototypes, personal tooling, learning	Production, marketing, scale

For most production use cases, the official Cloud API is the only path that lets you scale without living in fear of a sudden ban. If you're staying on the unofficial route for prototyping, treat every ban-avoidance technique here as risk reduction, not a guarantee - and message only people who actually expect to hear from you, since engaged, two-way contacts are the single best protection against both throttling and outright bans.

Frequently asked questions

Validate before you send

Stop wasting template sends and triggering bounce-driven flags. Use the WhatsApp Profile API to confirm which numbers are actually on WhatsApp before you message a single contact.

Try the bulk checker

Sources & further reading

More from the blog

Written by

Eduardo Airaudo

Developer and founder of the WhatsApp Profile API. Building WhatsApp tooling and APIs since 2022.

How to Avoid Getting Banned on WhatsApp: A Developer Guide

Why WhatsApp Bans Accounts in the First Place

What Detection Actually Looks At

Number Warming: A Community Practice, Not a Meta Feature

Official API Limits and Quality Rating

Shadow Bans, Throttling, and Restrictions

Don't Get Banned by Your Own Dependencies

Recovery and the Compliant Path Forward

Frequently asked questions

Sources & further reading

Related

More from the blog

What Our Users Say

Good

Why WhatsApp Bans Accounts in the First Place

What Detection Actually Looks At

Number Warming: A Community Practice, Not a Meta Feature

Official API Limits and Quality Rating

Opt-In, Consent, and the 24-Hour Window

Shadow Bans, Throttling, and Restrictions

Don't Get Banned by Your Own Dependencies

Recovery and the Compliant Path Forward

Frequently asked questions

Sources & further reading

Related

More from the blog

What Our Users Say

Good