How much does the WhatsApp Profile API cost?

There are four tiers: BASIC is free with 50 requests/month, PRO is $35/month for 10,000 requests, ULTRA is $139/month for 50,000 requests, and MEGA is $449/month for 500,000 requests. Pay-As-You-Go credits are also available from $40 per 50,000 requests with crypto or $50 via PayPal.

What information does the API return?

The API returns whether a number is registered on WhatsApp, the public profile picture URL, the display name, the about/status text, and flags for WhatsApp Business and Enterprise accounts. Fields return null when the target user has restricted visibility in their WhatsApp privacy settings.

Does the lookup notify the target WhatsApp account?

No. The lookup is silent. It does not trigger the 'online' status, blue ticks, or any notification. It performs a directory-level existence query plus a read of public profile data the target has chosen to expose.

Can I access the API through RapidAPI or Apify?

Yes. The same JSON response is available on three channels: direct purchase (lowest per-request price), RapidAPI marketplace (fastest setup), and Apify Actor (no-code friendly). Direct purchase typically saves ~20% versus the equivalent RapidAPI-channel usage.

Do I need WhatsApp Business to build a bot?

It depends on the path. The official WhatsApp Cloud API runs on a WhatsApp Business Account (you get a free test one in the sandbox, and a verified business number for production). The unofficial libraries — Baileys and whatsapp-web.js — automate any regular WhatsApp account, personal or business, by linking as a device. The catch is that automating an ordinary number this way violates WhatsApp's Terms and risks a ban, so a business-critical number is exactly the one you don't want to use with an unofficial library.

Is building a WhatsApp bot with Baileys or whatsapp-web.js legal or safe?

The libraries themselves are open-source (MIT and Apache-2.0 respectively) and legal to use. The risk is to your WhatsApp account, not legal liability: both are unofficial, reverse-engineered clients, both ship disclaimers that they aren't affiliated with WhatsApp, and using them to automate a number can violate WhatsApp's Terms of Service. Account bans are documented in the libraries' own issue trackers, with users reporting them after widely varying message volumes. They are reasonable for prototypes or personal projects, but not for a number you can't afford to lose.

How do I verify the WhatsApp Cloud API webhook?

Two steps. When you register the URL, Meta sends a GET with hub.mode, hub.verify_token, and hub.challenge query params — check the token matches your secret, then return hub.challenge as plain text with a 200. After that, real messages arrive as POST requests signed with an HMAC-SHA256 of the raw body in the X-Hub-Signature-256 header, keyed by your App Secret. Recompute the HMAC over the raw body and compare with crypto.timingSafeEqual (not ===) before trusting the payload. The endpoint must be HTTPS with a valid, non-self-signed certificate.

What is the 24-hour window in the WhatsApp Cloud API?

After a user messages your business, you have a 24-hour customer service window in which you can send free-form replies of any kind — and those service messages are free. Each new inbound message from the user resets the 24-hour timer. Once the window closes, you can no longer send arbitrary text; you must use a pre-approved template message to re-open the conversation. This rule only applies to the official Cloud API, and it is the most common thing new builders miss.

Should I use the official Cloud API or an unofficial library?

Use the Cloud API for anything production, commercial, or at scale: it's the only sanctioned path, has no Terms-of-Service ban risk, scales cleanly, and offers a free dev sandbox. Use Baileys for lightweight prototypes or personal projects where you want no browser and accept the ban risk, and whatsapp-web.js when you need WhatsApp Web feature parity and don't mind the Chromium footprint — both carry the same ban risk. Match the platform to the stakes of the number you're putting on the line.

Home
/
Blog
/
How to Build a WhatsApp Bot in 2026 (Step-by-Step)

Guides

12 min read May 28, 2026

How to Build a WhatsApp Bot in 2026 (Step-by-Step)

Name: WhatsApp Profile API
Availability: InStock
Rating: 4.5 (162 reviews)
Author: Eduardo Airaudo

A practical end-to-end tutorial for building a WhatsApp bot in 2026 — compare the official Cloud API against Baileys and whatsapp-web.js, then ship a working bot with real code, webhooks, media handling and honest compliance guidance.

Key takeaways

There are three realistic paths in 2026: Meta's official WhatsApp Cloud API (sanctioned, free dev sandbox, per-message pricing in production) and two unofficial libraries — Baileys (WebSocket, no browser) and whatsapp-web.js (Puppeteer + Chromium).
Only the Cloud API carries zero Terms-of-Service ban risk. Baileys and whatsapp-web.js are reverse-engineered, ship their own disclaimers, and have documented account bans — user reports describe bans sometimes after only a handful of messages.
For the official path you build a webhook: a GET handler that echoes hub.challenge, and a POST handler that verifies the X-Hub-Signature-256 HMAC with crypto.timingSafeEqual before reading messages.
The 24-hour customer service window lets you send free-form (and free) replies for 24h after each user message; outside it you must use a pre-approved template.
Use the Cloud API for anything production or commercial; reach for Baileys or whatsapp-web.js only for prototypes or personal projects where the ban risk is acceptable.

Three paths to a WhatsApp bot — pick before you code

Before writing a single line, decide which platform you are building on, because the choice dictates everything else: your code, your hosting, your costs, and whether your number can be banned. In 2026 there are three realistic ways to put a WhatsApp bot into the world.

The first is the official one — Meta's WhatsApp Cloud API, a hosted Graph API endpoint at graph.facebook.com. It is the only WhatsApp-sanctioned way to build a bot, it gives you a free test number and sandbox to develop against, and it carries no Terms-of-Service ban risk. The other two are unofficial, reverse-engineered libraries that automate a regular WhatsApp account: Baileys, a pure WebSocket client with no browser, and whatsapp-web.js, which drives WhatsApp Web inside a headless Chromium. Both are powerful and free, both let you automate an ordinary number, and both put that number at risk.

This guide compares all three honestly, then walks you through a concrete build on each side: an official Cloud API webhook bot, and a quick unofficial bot with Baileys. By the end you will know which path fits your project and have working code to start from.

Cloud API vs Baileys vs whatsapp-web.js

Here is the decision at a glance. Versions are a snapshot verified mid-2026 — check each project's releases page when you read this, since the unofficial libraries move quickly.

	WhatsApp Cloud API	Baileys	whatsapp-web.js
Owner	Meta (official)	WhiskeySockets	wwebjs (orig. Pedro S. Lopez)
Install	REST / Graph API	npm i baileys	npm i whatsapp-web.js
Architecture	Meta-hosted HTTP endpoint	WebSocket multi-device, no browser	Puppeteer + Chromium (WhatsApp Web)
License	Hosted service (Meta ToS)	MIT	Apache-2.0
Latest	per-message pricing model	7.0.0 line (rc13)	v1.34.7 (Apr 2026)
Auth	Access token + verified number	QR or pairing code	QR scan
Footprint	None (you call an API)	Lightweight (Node 17+, ESM)	Heavy (full Chromium per session)
Ban risk	None — sanctioned	Real — documented bans	Real — documented bans
Best for	Production, commercial, scale	Lightweight prototypes, personal	Web-feature parity, don't mind Chromium

Architecture is not safety

It is tempting to think Baileys is 'safer' because it has no browser, or whatsapp-web.js is 'safer' because it mirrors the real web client. Neither is true. WebSocket vs Puppeteer is a performance and footprint trade-off. Both are unofficial clients and both can get your number permanently banned. Only the Cloud API removes ToS ban risk entirely.

Path A — Official Cloud API: setup and sandbox

Start here if you are building anything production or commercial. The Cloud API is compliant, scalable, and free to develop against. The setup, all in the Meta dashboard at developers.facebook.com, is roughly: create a Meta app, add the WhatsApp product, and you are issued a free test phone number attached to a test WhatsApp Business Account (a sandbox). You can send and receive messages with that test number at no charge while you develop — no message billing until you move to a real number.

From the dashboard, grab three values you will use in code: a temporary access token, your test number's phone number ID, and your app secret (used to verify incoming webhooks). Going to production later requires a real number, Meta Business verification, and usually a Business Solution Provider — but none of that is needed to build and test the bot.

Create a Meta app at developers.facebook.com and add the WhatsApp product.
Copy the test phone number ID and the temporary access token from the API Setup panel.
Add a recipient test number (your own phone) so the sandbox can message you.
Note your App Secret under App Settings → Basic — you will need it to verify webhook signatures.

Free dev, paid prod

The sandbox costs nothing. In production (since July 1, 2025) you are charged per delivered message across four categories — marketing, utility, authentication, and service. Service messages (free-form replies inside the 24-hour window) are free. Marketing templates are billed per delivered message — roughly $0.025 each on a typical 2026 rate card in markets where marketing is permitted, plus any BSP markup — but exact rates vary widely by country. Important: Meta paused marketing-category templates to US (+1) numbers on April 1, 2025; those messages fail to deliver (error code 63049) and there is no confirmed resumption date, so do not budget for paid US marketing sends. Always price against Meta's current per-country rate card for your target market.

Path A — Receiving messages with a verified webhook

The Cloud API delivers incoming messages by calling a webhook URL you host. Setting it up has two halves. First, when you register the URL, Meta sends a GET request to verify you own it. It includes three query params: hub.mode (which will be 'subscribe'), hub.verify_token (a secret string you chose), and hub.challenge (a random value). You check the token matches, then echo hub.challenge back as plain text with a 200. Your endpoint must be HTTPS with a valid, non-self-signed TLS certificate.

import express from 'express'
import crypto from 'crypto'

const app = express()
const VERIFY_TOKEN = process.env.VERIFY_TOKEN
const APP_SECRET = process.env.APP_SECRET

// Keep the raw body so we can verify the signature later.
app.use(express.json({ verify: (req, _res, buf) => { req.rawBody = buf } }))

// 1) Webhook verification (GET): echo hub.challenge back.
app.get('/webhook', (req, res) => {
  const mode = req.query['hub.mode']
  const token = req.query['hub.verify_token']
  const challenge = req.query['hub.challenge']
  if (mode === 'subscribe' && token === VERIFY_TOKEN) {
    return res.status(200).send(challenge)
  }
  return res.sendStatus(403)
})

Second, real messages arrive as POST requests to the same URL. Meta signs every payload with an HMAC-SHA256 of the raw request body, keyed by your App Secret, in the header X-Hub-Signature-256: sha256=.... You must verify this before trusting the payload — and you must compare it with a timing-safe function (crypto.timingSafeEqual), never a plain === string comparison, which is vulnerable to timing attacks.

// 2) Incoming messages (POST): verify HMAC, then read the message.
app.post('/webhook', (req, res) => {
  const signature = req.get('X-Hub-Signature-256') || ''
  const expected = 'sha256=' + crypto
    .createHmac('sha256', APP_SECRET)
    .update(req.rawBody)
    .digest('hex')

  const a = Buffer.from(signature)
  const b = Buffer.from(expected)
  if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) {
    return res.sendStatus(401)
  }

  const entry = req.body.entry?.[0]?.changes?.[0]?.value
  const msg = entry?.messages?.[0]
  if (msg) {
    console.log('From', msg.from, 'type', msg.type, 'text', msg.text?.body)
  }
  res.sendStatus(200) // Always 200 quickly so Meta doesn't retry.
})

app.listen(3000)

Develop locally with a tunnel

Meta needs a public HTTPS URL, but you can develop on your laptop by tunnelling localhost through a service like ngrok or Cloudflare Tunnel. Point the webhook at the tunnel URL while testing, then swap in your deployed domain for production.

Path A — Replying, handling media, and the 24-hour window

To reply, POST to the Cloud API messages endpoint with your phone number ID and access token. Crucially, you can only send free-form replies within the 24-hour customer service window: after a user messages you, you have 24 hours to respond with any content for free, and each new inbound message resets the timer. Outside that window you must send a pre-approved template message instead — this is the single rule that trips up most beginners.

async function sendText(to, body) {
  const PHONE_ID = process.env.PHONE_NUMBER_ID
  const TOKEN = process.env.WHATSAPP_TOKEN
  // Bump v21.0 to the current Graph API version when you build.
  await fetch(`https://graph.facebook.com/v21.0/${PHONE_ID}/messages`, {
    method: 'POST',
    headers: {
      Authorization: `Bearer ${TOKEN}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      messaging_product: 'whatsapp',
      to,                       // recipient in international format
      type: 'text',
      text: { body }            // free-form: only valid inside the 24h window
    })
  })
}

Pin a current Graph API version

The sample code targets Graph API v21.0, which was current at research time. Meta ships a new Graph API version roughly quarterly and deprecates old ones on a rolling schedule, so check the changelog and bump the version segment in the URL (e.g. /vXX.0/) to a supported release before you ship. Pinning an explicit version is correct — just keep it current.

Media works in two directions. Incoming images, audio, documents, and video arrive in the webhook as a media ID (not the file itself); you make a follow-up call to resolve the ID to a temporary download URL, then fetch the bytes with your token. To send media, you first upload the file to get a media ID, then reference that ID in a message of type image, document, audio, or video. Keep handlers fast — acknowledge the webhook with a 200 immediately and do downloads or heavy work asynchronously so Meta doesn't time out and retry.

Inbound media: read msg.image.id (or msg.document.id, etc.) → GET the media URL → download with your bearer token.
Outbound media: upload the file to /{PHONE_ID}/media → receive a media id → send a message referencing { id }.
Default throughput is about 80 messages per second per number (auto-upgradable as your quality holds).

Path B — A quick bot with Baileys (unofficial)

If you need a throwaway prototype or a personal-project bot and accept the ban risk, Baileys is the lightest unofficial option. It speaks WhatsApp's multi-device WebSocket protocol directly — no browser, no Puppeteer — so it starts fast and sips RAM. Install the package as baileys (the old @whiskeysockets/baileys scope is superseded), and note that v7 requires Node 17+ and is published as ESM.

Install the right package

Run npm i baileys — not @whiskeysockets/baileys. The scoped name is the old one. The repo lives at github.com/WhiskeySockets/Baileys, it is MIT-licensed, and the current line is 7.0.0 (latest publish at research time was 7.0.0-rc13). Pin an exact version rather than tracking the moving release candidate.

Authentication is by QR code or pairing code, and you persist the session with useMultiFileAuthState so you don't re-scan on every restart. The main entry point is makeWASocket. Here is a minimal echo-style bot that connects, prints a QR, and replies to incoming text:

import makeWASocket, { useMultiFileAuthState } from 'baileys'
import qrcode from 'qrcode-terminal'

const { state, saveCreds } = await useMultiFileAuthState('auth')
const sock = makeWASocket({ auth: state })

sock.ev.on('creds.update', saveCreds)
sock.ev.on('connection.update', ({ qr }) => {
  if (qr) qrcode.generate(qr, { small: true }) // scan from WhatsApp > Linked devices
})

sock.ev.on('messages.upsert', async ({ messages }) => {
  const msg = messages[0]
  if (!msg.message || msg.key.fromMe) return
  const text = msg.message.conversation || msg.message.extendedTextMessage?.text
  await sock.sendMessage(msg.key.remoteJid!, { text: `You said: ${text ?? ''}` })
})

whatsapp-web.js follows the same shape conceptually — you create a Client, listen for a 'qr' event, then a 'message' event, and call message.reply(). The difference is footprint: it boots a full Chromium via Puppeteer per session, so it is heavier but tracks the live web UI closely and tends to support new web features sooner. Choose it when you want that web-client parity and don't mind the browser overhead; choose Baileys when you want minimal resources.

Deploying your bot

The two paths deploy very differently. A Cloud API bot is just a stateless web service — your webhook handler — so it deploys like any HTTP app: a container or serverless function behind HTTPS on a platform such as Railway, Render, Fly.io, or a VPS. There is no session to keep alive; Meta holds the WhatsApp connection. Set your env vars (access token, app secret, verify token, phone number ID), point the webhook at your public HTTPS domain, and you are done.

An unofficial bot is stateful — it holds a live WhatsApp connection and an auth session that must survive restarts. That rules out most serverless platforms. Run it on a persistent host (a small VPS or a long-running container), and mount the auth folder on durable storage so a redeploy doesn't force a fresh QR scan. For whatsapp-web.js you also need the Chromium dependencies present in the image, which is why its Docker images are larger.

Cloud API: stateless web service, deploy anywhere with HTTPS, no session to persist.
Baileys: persistent host, durable volume for the auth/ folder, lightweight (no browser).
whatsapp-web.js: persistent host + Chromium in the image; size the container for a full browser.
Never commit tokens, app secrets, or the auth session to git — use environment variables and secret storage.

Compliance and ban risk — read before you ship

Be honest with yourself about which platform you chose. Baileys and whatsapp-web.js are both unofficial and reverse-engineered, and both say so. whatsapp-web.js's README states plainly that 'WhatsApp does not allow bots or unofficial clients on their platform, so this shouldn't be considered totally safe.' The Baileys maintainers say they do not condone practices that violate the Terms of Service and discourage stalkerware, bulk, or automated messaging. These are not theoretical warnings.

Real bans are documented. In the project's own issue tracker, users report the 'Your account has been disabled because you are using an unofficial WhatsApp' block (see the linked whatsapp-web.js ban thread in Sources). Those user reports describe bans landing after widely varying volumes — sometimes after only a handful of messages — though the exact threshold is anecdotal, not an officially published number. An unofficial bot puts your personal or business number at risk of permanent ban, and a banned number is hard to recover. If the number matters to you or your business, that risk should weigh heavily.

The Cloud API, by contrast, has no ToS ban risk because it is the sanctioned channel — at the cost of per-message pricing and stricter messaging rules: the 24-hour window, template approval, and tiered messaging limits that begin around 250 business-initiated conversations to unique customers per 24 hours and scale up with quality and verification. Note that since October 7, 2025 these messaging limits apply per Business Portfolio, not per individual phone number, so adding more numbers under the same portfolio does not stack the cap. Match the platform to the stakes: prototypes and personal tools can tolerate the unofficial route; anything customer-facing or revenue-bearing should be on the official API.

Read-only profile data has no ban risk

Some bot features — like checking whether a number is on WhatsApp before messaging it, or fetching a public profile picture and name — don't require running a WhatsApp session at all. A hosted profile API gives you that data over plain HTTP, with no QR scan and no account to ban, which keeps your sending lists clean regardless of which bot path you pick.

Which path should you choose?

The decision is mostly about stakes and scale. Use the WhatsApp Cloud API for anything production or commercial: it is compliant, scales cleanly, has a free development sandbox, and carries no ban risk. Reach for Baileys when you want a lightweight prototype or a personal project, you don't want a browser running, and you accept that the number could be banned. Pick whatsapp-web.js when you specifically need WhatsApp Web feature parity and don't mind the Chromium footprint — but understand it carries the same ban risk as Baileys.

Whichever you choose, the engineering fundamentals are the same: handle messages idempotently, keep secrets out of source control, respond to webhooks fast, and never send unsolicited bulk messages. The platform decision sets your ceiling on safety and scale; your behavior decides whether you stay within it.

Frequently asked questions

Clean your lists before your bot sends a thing

However you build your bot, only message numbers that are actually on WhatsApp. Our hosted API tells you if a number is registered and returns the public profile picture, display name, about text, and business flag from a single HTTP call — read-only, no QR scan, no ban risk.

Explore the WhatsApp Profile API

Sources & further reading

More from the blog

Written by

Eduardo Airaudo

Developer and founder of the WhatsApp Profile API. Building WhatsApp tooling and APIs since 2022.