How much does the WhatsApp Profile API cost?

There are four tiers: BASIC is free with 50 requests/month, PRO is $35/month for 10,000 requests, ULTRA is $139/month for 50,000 requests, and MEGA is $449/month for 500,000 requests. Pay-As-You-Go credits are also available from $40 per 50,000 requests with crypto or $50 via PayPal.

What information does the API return?

The API returns whether a number is registered on WhatsApp, the public profile picture URL, the display name, the about/status text, and flags for WhatsApp Business and Enterprise accounts. Fields return null when the target user has restricted visibility in their WhatsApp privacy settings.

Does the lookup notify the target WhatsApp account?

No. The lookup is silent. It does not trigger the 'online' status, blue ticks, or any notification. It performs a directory-level existence query plus a read of public profile data the target has chosen to expose.

Can I access the API through RapidAPI or Apify?

Yes. The same JSON response is available on three channels: direct purchase (lowest per-request price), RapidAPI marketplace (fastest setup), and Apify Actor (no-code friendly). Direct purchase typically saves ~20% versus the equivalent RapidAPI-channel usage.

Can I get a WhatsApp profile picture using the official WhatsApp Cloud API?

No. Meta's WhatsApp Business Cloud API lets you set and read your own business profile photo, but it has no endpoint to read another contact's profile picture. Every method that fetches a contact's photo by phone number — Baileys, whatsapp-web.js, or a hosted Profile API — relies on unofficial access to WhatsApp's Web protocol, not the official Cloud API.

Why does profilePictureUrl (or getProfilePicUrl) return undefined or null?

That is the normal signal for "the photo is hidden by the contact's privacy settings" or "no photo is set." It is not an error — map it to null and continue. With whatsapp-web.js this falsy return is observed community behaviour rather than a documented guarantee, so code defensively. In Baileys, separately, many JIDs and edge cases throw a Boom error (such as bad-request, item-not-found, or not-authorized), so you should still wrap the call in try/catch to handle thrown errors distinctly from the empty result.

What Boom errors does Baileys throw when fetching a profile picture?

Common thrown reasons include bad-request (HTTP 400), item-not-found, not-authorized, and occasionally forbidden (HTTP 403) or a timeout — see issues #900, #904, and #1979 in the WhiskeySockets repo. Note the HTTP labels: forbidden is 403 and unauthorized/not-authorized is 401, so checking only for a 404 status is too narrow. Always pass the timeout argument, because Baileys v7's tcToken privacy logic can otherwise cause the call to hang (issue #2498).

What's the difference between low-res and high-res in Baileys?

Calling sock.profilePictureUrl(jid) with no second argument returns a low-resolution preview URL. Passing 'image' as the second argument — sock.profilePictureUrl(jid, 'image') — returns the high-resolution version. An optional third argument sets a timeout in milliseconds. Both resolve to undefined when the photo is hidden or absent.

Why does the profile picture URL stop working after a while?

The URLs returned are time-limited, signed links to WhatsApp's media CDN (pps.whatsapp.net / mmg hosts) and they expire. If you save the URL and serve it later it will eventually return 403. Download the image bytes as soon as you receive the URL and cache those in your own storage, then serve from your copy.

Will using Baileys or whatsapp-web.js get my WhatsApp number banned?

It can. Both libraries are unofficial and breach WhatsApp's Terms of Service; whatsapp-web.js explicitly warns it cannot guarantee you won't be blocked. To reduce risk, use a dedicated number you can afford to lose, keep request volumes modest, throttle and add jitter, and cache results aggressively. A hosted Profile API moves the access (and its ToS exposure) to the provider, but you should still confirm you have a lawful basis for each lookup.

How do I look up a profile picture by phone number without running WhatsApp?

Use a hosted Profile API. You send the phone number in an HTTP request and receive JSON with the public profile photo URL — usually alongside the display name, about text, and business flag when visible. There's no linked device to maintain and no session to re-authenticate. Like the libraries, it returns null when the photo is hidden, so your handling logic stays the same. Verify the exact response shape against the provider's API reference before integrating.

Home
/
Blog
/
How to Get a WhatsApp Profile Picture Programmatically

Guides

10 min read Jun 7, 2026

How to Get a WhatsApp Profile Picture Programmatically

Name: WhatsApp Profile API
Availability: InStock
Rating: 4.5 (162 reviews)
Author: Eduardo Airaudo

Three ways to fetch a public WhatsApp profile photo in code: Baileys profilePictureUrl, whatsapp-web.js getProfilePicUrl, or a hosted REST API — with null handling and caching.

Key takeaways

WhatsApp's official Cloud API cannot read another contact's profile picture — it only lets you set your own business photo. Every contact-PFP method relies on unofficial Web-protocol access.
Baileys exposes `sock.profilePictureUrl(jid)` (low-res preview) and `sock.profilePictureUrl(jid, 'image')` (high-res). whatsapp-web.js exposes `client.getProfilePicUrl(contactId)`.
A hidden photo or no photo returns `undefined`/null — treat that as a normal signal, not an error. Baileys also throws Boom errors (bad-request, item-not-found, not-authorized), so wrap calls in try/catch.
The returned pps.whatsapp.net URLs are signed and expire. Cache the downloaded image bytes, not the URL, and negative-cache hidden results.
Both libraries require an authenticated linked-device session and breach WhatsApp's Terms of Service (ban risk). A hosted Profile API shifts the session-maintenance work to the provider.

Why this is harder than it looks

"Just grab the profile picture for this phone number" sounds like a one-line task. In practice, learning how to get a WhatsApp profile picture programmatically means accepting up front that WhatsApp gives you no official, supported way to do it for an arbitrary contact. The platform treats profile photos as private-by-default user data, gated behind privacy settings, and only exposed through the same protocol the real WhatsApp clients use. That single fact shapes every approach in this guide.

There are three realistic routes. You can drive WhatsApp's multi-device protocol directly with Baileys, automate a real WhatsApp Web browser session with whatsapp-web.js, or skip the session entirely and call a hosted REST API that returns the public photo URL as JSON. Each has different setup costs, reliability characteristics, and compliance implications.

Before any code, set expectations honestly: a profile picture is only retrievable when the owner has it set and their privacy settings allow it. When it is hidden or absent, every method returns an empty result — that is the correct behaviour, not a bug to work around. And the two library routes both require a linked WhatsApp account and breach WhatsApp's Terms of Service, which carries a genuine account-ban risk. We will cover that in full so you can make an informed decision.

Have a lawful basis before you look anyone up

Fetching a person's photo by phone number processes personal data. In jurisdictions like the EU/UK under GDPR you need a lawful basis — consent or a documented legitimate interest, balanced against the person's rights — and similar rules apply elsewhere. For the lead-enrichment use cases below, confirm you have that basis and a clear purpose before you query a single number. "It's technically public" is not the same as "lawful to collect and store."

What the official WhatsApp Cloud API can (and cannot) do

Developers reach for Meta's WhatsApp Business Cloud API first, expecting a clean endpoint. It is not there. The Cloud API's Business Profiles reference lets you read and update your own business profile — including setting a profile photo for your business number — but it exposes no endpoint to read another contact's display picture. There is simply no "get contact profile picture" call in the official surface.

This is a deliberate design choice, not an oversight. Meta scopes the Cloud API to conversations a user has opted into by messaging your business. Bulk lookup of arbitrary users' photos is exactly the kind of profiling Meta restricts. So if your requirement is to fetch the photo for a number that has not messaged you, the official API cannot help — full stop.

The honest baseline

Any method that retrieves a contact's profile picture by phone number uses unofficial access to WhatsApp's Web protocol. The official Cloud API is the safe, supported channel, but it does not offer this capability. Keep that distinction clear when planning compliance and risk.

That leaves unofficial libraries and hosted APIs built on the same protocol. The rest of this guide is about doing that responsibly — handling privacy correctly, caching efficiently, and understanding the trade-offs.

Method 1 — Baileys (profilePictureUrl)

Baileys is a pure WebSocket implementation of WhatsApp's multi-device protocol, maintained under the WhiskeySockets organisation. It runs no browser — no Puppeteer, no Chromium — so it is lightweight and fast, which matters when you are doing many lookups. It is published on npm as the unscoped `baileys` package (MIT licensed); the older `@whiskeysockets/baileys` resolves to the same code, while the original `@adiwajshing/baileys` is abandoned.

Once you have an authenticated socket (linked via QR or pairing code), fetching a photo is a single call. Pass no second argument for a low-resolution preview, or `'image'` for the high-resolution version. An optional third argument sets a timeout in milliseconds.

import makeWASocket from 'baileys'

// assume `sock` is an authenticated multi-device socket
async function getWaPhoto(sock, phone) {
  const jid = `${phone}@s.whatsapp.net` // e.g. 14155552671
  try {
    // 'image' = high-res; omit for a low-res preview
    const url = await sock.profilePictureUrl(jid, 'image', 5000)
    return url ?? null         // undefined => hidden by privacy OR no photo set
  } catch (err) {
    // Baileys throws Boom errors here: bad-request (400), item-not-found,
    // not-authorized, forbidden (403), timeouts, etc. None of these mean
    // "no photo" — they mean the lookup itself failed.
    const reason = err?.data?.reason ?? err?.message
    if (reason === 'item-not-found' || reason === 'not-authorized') {
      // safe to treat as "unavailable" for this number
      return null
    }
    throw err // bubble up real failures (rate limit, transport, etc.)
  }
}

Two failure modes to handle separately. First, `profilePictureUrl` resolves to `undefined` when the contact has no photo or has hidden it — your code should map that to `null` and move on. Second, for many JIDs and edge cases Baileys throws a Boom error, so the call must live inside a try/catch. In practice the thrown reasons are `bad-request` (HTTP 400), `item-not-found`, `not-authorized`, and occasionally `forbidden` (HTTP 403) or a timeout — see issues #900, #904, and #1979 in the repo. Note the labels: `forbidden` is 403 and `not-authorized`/`unauthorized` maps to 401; a bare 404 check is too narrow and will miss the common cases. Treating the empty case as an exception, or letting a thrown error crash a batch job, are the two most common mistakes here.

Pin a known-good Baileys version

Baileys v7 reworked the privacy/tcToken logic that gates profile-picture access, and several users report `profilePictureUrl` hanging indefinitely on individual contacts as a result (issue #2498). If lookups stall with no error and no result, that's the symptom. Pin to a version you have tested end to end, watch the v7 migration notes, and always pass the timeout argument so a hang surfaces as a catchable error rather than a stuck job.

A note on history and risk: the original adiwajshing repository was taken down in April 2023 after WhatsApp's legal team issued a cease-and-desist for Terms-of-Service violations. The community revived it as WhiskeySockets, and the README carries an explicit responsible-use disclaimer — no spam, no stalkerware. Use it accordingly.

Method 2 — whatsapp-web.js (getProfilePicUrl)

whatsapp-web.js takes a different architectural path: it drives a real WhatsApp Web session inside a headless Chromium browser via Puppeteer. That makes it heavier on memory and slower to start than Baileys, but some teams prefer its higher-level, event-driven client API. It is Apache-2.0 licensed and actively maintained.

const { Client } = require('whatsapp-web.js')
const client = new Client(/* auth + puppeteer config */)

client.on('ready', async () => {
  const contactId = '[email protected]'
  try {
    const url = await client.getProfilePicUrl(contactId)
    // In practice this is often undefined/null when the photo is hidden
    // or unset — see the note below; the docs only promise a URL string.
    console.log(url ?? 'no public photo')
  } catch (e) {
    console.error('lookup failed', e)
  }
})

client.initialize()

The official docs describe `getProfilePicUrl` plainly: it returns the contact's profile picture URL "if privacy settings allow it," and document the return type as a Promise that resolves to a string. They do not formally document an `undefined`/`null` value for the hidden-or-no-photo case. In practice, though, that is exactly what developers observe — the call commonly resolves to a falsy value rather than throwing when there is nothing to return, the same privacy-aware behaviour you see with Baileys. Treat that as observed community behaviour, not a documented contract, and code defensively for it. There are also frequent community reports of this method returning null or failing after WhatsApp ships internal Web changes, because the library has to track an evolving browser interface. Build retries and graceful degradation around it.

Both libraries breach WhatsApp's ToS

whatsapp-web.js states clearly that it is not affiliated with WhatsApp, that WhatsApp does not allow unofficial clients, and that "it is not guaranteed you will not be blocked." The same applies to Baileys. Use a number you control, keep volumes modest, and never deploy this against an account you cannot afford to lose.

Baileys vs whatsapp-web.js vs hosted API

The right choice depends on how much infrastructure you want to own and how reliable the result must be. This table summarises the practical differences for the profile-picture use case specifically.

Factor	Baileys	whatsapp-web.js	Hosted Profile API
Method	sock.profilePictureUrl(jid)	client.getProfilePicUrl(id)	HTTP GET with phone number
Architecture	Pure WebSocket, no browser	Headless Chromium via Puppeteer	Remote service, nothing to run
Session to maintain	Yes — linked device	Yes — linked device	No (provider's)
Resource footprint	Low	High (browser + RAM)	None on your side
Hidden / no photo	undefined (or Boom error)	undefined / null (observed)	null / empty field
WhatsApp ToS	Violates (ban risk on your number)	Violates (ban risk on your number)	Provider operates the access
License	MIT	Apache-2.0	Commercial / tiered

If you already run a WhatsApp automation stack and need many other operations, a library is logical. If you only need photos (often alongside a name, about text, or business flag) and do not want to babysit a linked session or carry the ban risk on your own number, a hosted API is usually the simpler, more durable choice — at the cost of trusting a third party with your queries.

Caching and rate-limiting: the part everyone skips

Whichever method you use, the URL you get back is a time-limited, signed link to WhatsApp's media CDN (the pps.whatsapp.net / mmg hosts). It will expire. If you store the URL in a database and serve it later, it will eventually return 403. The fix is simple: download the image bytes immediately and cache those — in object storage or a blob column — then serve from your own copy.

async function fetchAndStore(sock, phone, store) {
  const cached = await store.get(phone)
  if (cached !== undefined) return cached // hit (incl. negative-cached null)

  const url = await getWaPhoto(sock, phone)
  if (!url) {
    await store.set(phone, null, { ttl: '24h' }) // negative cache
    return null
  }
  const bytes = Buffer.from(await (await fetch(url)).arrayBuffer())
  const key = await store.put(`${phone}.jpg`, bytes) // your CDN/bucket
  await store.set(phone, key, { ttl: '7d' })
  return key
}

Negative caching matters just as much. When a lookup returns `undefined`/null because the photo is hidden, cache that empty result too — otherwise you will re-query the same hidden numbers endlessly, burning rate budget and increasing ban exposure. A short TTL (say 24 hours) lets you pick up a newly added photo later without hammering the protocol.

Rate-limit your lookups

A single linked-device session can do many lookups, but bursty traffic is exactly what trips automated abuse detection. Throttle requests, add jitter, and cache aggressively. Slow and steady keeps your number alive.

Method 3 — a hosted Profile API (no session required)

Disclosure

The hosted service shown below, whatsapp.checkleaked.cc, is our own product. We include it because it is the approach we know best and the one this site is built around — but the engineering points in this section apply to any hosted Profile API, and you should evaluate alternatives on the same criteria.

If maintaining a linked WhatsApp account, handling re-authentication, and accepting ban risk on your own number all sound like overhead you would rather not own, a hosted Profile API solves the same problem with a plain HTTP request. You send a phone number; you get back JSON containing the public profile photo URL, and most providers also include the display name, about text, and a business-account flag when those are visible. Because these services read the same privacy-gated public data, they should return null or an empty field when the photo is hidden, mirroring the libraries' behaviour.

BASH

# Response shape is illustrative — check the provider's API reference
# for the exact field names and types before integrating.
curl -s 'https://whatsapp.checkleaked.cc/api/check?number=14155552671' \
  -H 'Authorization: Bearer YOUR_API_KEY'
# => roughly: { "isWAContact": true, "profilePic": "https://pps.whatsapp.net/...",
#               "name": "...", "about": "...", "isBusiness": false }

The trade-off is straightforward: you give up running the protocol yourself in exchange for a stable JSON contract, no session lifecycle, and the provider — rather than you — operating the unofficial access. Treat any vendor's reliability and "public data only" claims (ours included) as marketing until you have verified them against your own test numbers and the provider's documented policy. For lead enrichment, CRM hydration, or anti-fraud signals where you need the photo plus a few other fields per number, a hosted API tends to be the lowest-friction path. You still get the same null-when-hidden semantics, so your downstream handling logic is identical to the library approach — just without the linked device.

Whatever route you pick, the engineering checklist is the same: confirm you have a lawful basis for the lookup, treat null as a normal outcome, cache the image bytes rather than the expiring URL, negative-cache hidden results, throttle your request rate, and never store or display anyone's photo in a way that ignores the privacy intent behind it being public.

Frequently asked questions

Fetch public WhatsApp profile photos without running a session

Send a phone number, get back the public profile picture URL plus name, about text, and business flag as JSON — no linked device to maintain, no ban risk on your own number. This is our own Profile API; free tier to start.

Explore the Profile Picture API

Sources & further reading

More from the blog

Written by

Eduardo Airaudo

Developer and founder of the WhatsApp Profile API. Building WhatsApp tooling and APIs since 2022.