How much does the WhatsApp Profile API cost?

There are four tiers: BASIC is free with 50 requests/month, PRO is $35/month for 10,000 requests, ULTRA is $139/month for 50,000 requests, and MEGA is $449/month for 500,000 requests. Pay-As-You-Go credits are also available from $40 per 50,000 requests with crypto or $50 via PayPal.

What information does the API return?

The API returns whether a number is registered on WhatsApp, the public profile picture URL, the display name, the about/status text, and flags for WhatsApp Business and Enterprise accounts. Fields return null when the target user has restricted visibility in their WhatsApp privacy settings.

Does the lookup notify the target WhatsApp account?

No. The lookup is silent. It does not trigger the 'online' status, blue ticks, or any notification. It performs a directory-level existence query plus a read of public profile data the target has chosen to expose.

Can I access the API through RapidAPI or Apify?

Yes. The same JSON response is available on three channels: direct purchase (lowest per-request price), RapidAPI marketplace (fastest setup), and Apify Actor (no-code friendly). Direct purchase typically saves ~20% versus the equivalent RapidAPI-channel usage.

Is it illegal to use unofficial WhatsApp libraries like Baileys?

Using them is not a criminal matter for typical developers, but it does violate WhatsApp's Terms of Service, which prohibit unofficial clients and automated or bulk messaging. The realistic consequence is enforcement by WhatsApp: the linked account can be banned, often permanently and without warning. The library maintainers themselves state they are not affiliated with WhatsApp and discourage bulk or automated use. For business-critical messaging, treat unofficial clients as off-limits.

How much does the WhatsApp Cloud API cost?

Since July 1, 2025, Meta charges per delivered template message rather than per conversation. Service messages (your replies inside an open 24-hour window) are free. Utility templates are free inside the window and charged outside it; Marketing and Authentication templates are always charged. Rates are set per recipient country and volume-based discounts apply to utility and authentication traffic, so a per-message price in one market can differ significantly from another. Always check Meta's official pricing page for current rates, since older articles still cite the retired conversation-based model.

What is the 24-hour window in the WhatsApp Business API?

It's the customer service window that opens when a user messages your business. For 24 hours from their latest inbound message — and resetting each time they reply — you can send free-form messages in any format. Once it closes, you can only reach the user with pre-approved message templates. This window plus the template system is WhatsApp's core anti-spam design and the main thing you architect your flows around.

Baileys vs whatsapp-web.js — which is better?

They solve the same problem differently. Baileys (MIT) talks the WhatsApp Web WebSocket protocol directly, so it needs no browser, uses little RAM, and is fast — but its API is lower-level and its v7 line (in release-candidate stage at the time of writing) introduces breaking changes. whatsapp-web.js (Apache-2.0) drives a real headless Chromium via Puppeteer, giving a friendlier API at the cost of heavier resources and more fragility when WhatsApp changes its web UI. Choose Baileys for efficiency and scale, whatsapp-web.js for simplicity. Both carry the same ToS and ban risk.

Can I avoid getting banned while using an unofficial library?

You can reduce risk but not eliminate it. Bans are most likely with new numbers, high volume, cold outreach, and identical bulk content. Using an aged number, keeping volume low, and only messaging people who contacted you first all help. But there is no safe configuration that WhatsApp endorses — the only ban-proof path for business messaging is the official Cloud API. Treat any number on an unofficial client as disposable.

Do I need the messaging API just to check if a number is on WhatsApp?

No. Verifying registration and reading public profile data (picture, display name, about, business flag) is a read-only lookup that doesn't require running a messaging client or sending anything. A dedicated profile API does this without logging in as a user, so it avoids the ban risk of unofficial clients and the per-message cost of the Cloud API. It's a natural first step: validate and enrich your list, then message the valid contacts through the Cloud API.

Home
/
Blog
/
WhatsApp Cloud API vs Unofficial Libraries: Which Should You Use?

Comparisons

10 min read Jun 5, 2026

WhatsApp Cloud API vs Unofficial Libraries: Which Should You Use?

Name: WhatsApp Profile API
Availability: InStock
Rating: 4.5 (162 reviews)
Author: Eduardo Airaudo

A balanced, compliance-forward comparison of Meta's official WhatsApp Cloud API and unofficial libraries (Baileys, whatsapp-web.js): cost, ban risk, and the right tool for the job.

Key takeaways

The official WhatsApp Business Cloud API is Meta-hosted, fully ToS-compliant, and protected from bans, but you pay per delivered template message and must complete onboarding (WABA, phone number, Business Verification).
Unofficial libraries like Baileys (WebSocket, MIT) and whatsapp-web.js (Puppeteer, Apache-2.0) are free and fast to prototype with, but they violate WhatsApp's ToS and can get the linked number banned permanently without warning.
Pricing changed on July 1, 2025: WhatsApp moved from conversation-based billing to per-message pricing. Utility templates are free inside an open 24h window; Marketing and Authentication are always charged.
Use the Cloud API for anything production, commercial, or high-volume. Use unofficial libraries only for hobby projects, internal tooling, or a number you can afford to lose.
If you only need to verify and enrich numbers before messaging them, a read-only profile lookup avoids both the ban risk of unofficial clients and the per-message cost of the Cloud API.

WhatsApp Cloud API vs an unofficial library: two very different paths

If you want to send or receive WhatsApp messages from code, you face a fork in the road. One path is the official WhatsApp Business Cloud API, hosted by Meta on the WhatsApp Business Platform. The other is a family of unofficial open-source libraries — most prominently Baileys and whatsapp-web.js — that reverse-engineer the WhatsApp Web protocol and drive a regular personal account. They look interchangeable in a quick demo, but they sit on opposite sides of a line: one is a sanctioned, paid, compliant channel; the other is a free-but-prohibited workaround that WhatsApp actively detects and bans.

This guide compares them honestly. We will look at cost (including the major pricing change Meta shipped on July 1, 2025), onboarding and verification, the 24-hour customer service window and message templates, ban risk, scalability, and compliance — then give a clear recommendation for which to choose based on what you are actually building. The goal is not to dismiss either option but to help you pick the right tool without nasty surprises.

The official WhatsApp Business Cloud API

The Cloud API is a REST API exposed through Meta's Graph API. You POST messages to an endpoint like graph.facebook.com/<version>/<phone-number-id>/messages and Meta handles the rest. Meta hosts it for free. The older self-hosted On-Premises API reached end-of-life on October 23, 2025 (Meta first announced its deprecation back in October 2023), so the Cloud API is now the only path for new and migrating integrations. You can integrate directly with Meta or through a Business Solution Provider (BSP) such as Twilio, Infobip, 360dialog, or Vonage, which add tooling and support on top — usually at a markup.

Onboarding is the price of legitimacy. You need a Meta Business Portfolio, a WhatsApp Business Account (WABA), and a phone number that is not currently active on the consumer WhatsApp or WhatsApp Business app. Setup typically runs through Embedded Signup. Completing Business Verification — submitting legal documents to Meta — unlocks higher messaging limits and display-name benefits. It is more friction than scanning a QR code, but in return you get deliverability, an SLA-backed channel, and protection from bans.

BASH

# Graph API version below is illustrative — use the latest stable version
# Meta publishes (e.g. v23.0). Pin a version explicitly; do not omit it.
curl -X POST \
  'https://graph.facebook.com/v23.0/<PHONE_NUMBER_ID>/messages' \
  -H 'Authorization: Bearer <ACCESS_TOKEN>' \
  -H 'Content-Type: application/json' \
  -d '{
    "messaging_product": "whatsapp",
    "to": "15551234567",
    "type": "template",
    "template": {
      "name": "order_confirmation",
      "language": { "code": "en_US" }
    }
  }'

The 24-hour window and message templates

The Cloud API's central rule is the 24-hour customer service window. When a user messages your business, a window opens; it lasts 24 hours from that user's most recent inbound message and resets every time they reply. Inside the window you may send free-form messages in any format — text, media, interactive buttons. Outside the window you may only send pre-approved message templates.

Templates are submitted to Meta for review. Approval is often near-instant for verified businesses and can take up to about 24 hours otherwise. Templates fall into three categories that drive billing: Marketing, Utility, and Authentication. This template system is what keeps the channel low-spam — and it is the single biggest behavioural difference from unofficial libraries, where you can send anything to anyone with no review (and no protection).

Why templates exist

The template + window model is WhatsApp's anti-spam mechanism. It forces business-initiated outreach through a reviewed, categorised path while keeping genuine support conversations free and flexible. Designing your flows around the window is the key skill for Cloud API development.

2025 pricing: per-message, not per-conversation

This is where many older articles are wrong. On July 1, 2025, Meta moved from conversation-based pricing to per-message pricing. You are now billed per delivered template message, not per 24-hour conversation, and the old 'first 1,000 conversations per month free' tier no longer applies under the new model. Non-template service messages — your replies inside an open window — are free.

There are three paid template categories. Crucially, Utility templates are free when delivered inside an open 24-hour customer service window, and charged only when sent outside it. Marketing and Authentication templates are charged regardless of the window. Rates are set per recipient country code and vary widely — as of 2025, Marketing rates in markets like Brazil sit at the higher end, while India is among the cheapest — and volume-based discount tiers apply to utility and authentication traffic.

Message type	Charged?	Notes
Service message (reply in open window)	Free	Any format, unlimited
Utility template	Free inside window, paid outside	Order updates, alerts, receipts
Marketing template	Always paid	Promotions, re-engagement
Authentication template	Always paid	OTPs and 2FA codes

To budget at all, you need rough numbers — but treat these as directional, not authoritative. As of 2025, per-message rates for charged categories commonly land somewhere between roughly US$0.005 and US$0.10 depending on the recipient's country and the template category, with Marketing typically the most expensive tier and Authentication/Utility cheaper, especially with volume discounts. These figures move; price a real campaign against Meta's official rate card for your target countries before committing.

Don't trust outdated pricing posts

If a guide still talks about a 'free tier of 1,000 conversations' or 'conversation-based pricing,' it predates the July 1, 2025 change. Country rates and discount tiers also shift over time, so always confirm current numbers against Meta's official pricing documentation before you budget.

Unofficial libraries: Baileys and whatsapp-web.js

Unofficial libraries speak the WhatsApp Web protocol on behalf of a personal account linked through the multi-device 'linked devices' feature. They are free, install in minutes, and let you send free-form messages immediately with no templates, no window, and no verification. That convenience is exactly why they are popular for prototypes — and exactly why they are risky for production.

Baileys (repo WhiskeySockets/Baileys, MIT licensed, maintained by the WhiskeySockets org) is a TypeScript library that talks the WhatsApp Web WebSocket protocol directly. It uses no Chromium or Puppeteer, so it is light on RAM and fast. The v7 line — currently shipping as release candidates rather than a stable GA release — introduces breaking changes with a migration guide; login is via QR code or pairing code. The npm package is now simply baileys (the legacy scope @whiskeysockets/baileys still publishes the same project).

whatsapp-web.js (repo wwebjs/whatsapp-web.js, originally by Pedro S. Lopez, Apache-2.0) takes a different approach: it drives a real headless Chromium running WhatsApp Web via Puppeteer. It is one of the most popular WhatsApp Web libraries and its API is approachable, but it is heavier, needs Node 18+, and is more brittle when WhatsApp changes its web UI. Both projects carry explicit disclaimers that they are not affiliated with WhatsApp and that you may be blocked.

import makeWASocket, { useMultiFileAuthState } from 'baileys'

const { state, saveCreds } = await useMultiFileAuthState('auth')
const sock = makeWASocket({ auth: state })

sock.ev.on('creds.update', saveCreds)
sock.ev.on('messages.upsert', async ({ messages }) => {
  const msg = messages[0]
  if (!msg.key.fromMe && msg.message) {
    await sock.sendMessage(msg.key.remoteJid, { text: 'Hello from Baileys' })
  }
})

Ban risk and compliance: the honest part

WhatsApp's Terms of Service prohibit unofficial clients and automated or bulk messaging. WhatsApp's own help center explains that using unauthorised apps can get your account banned — and in practice bans are often permanent and arrive without warning. The maintainers of both libraries say the same thing in their READMEs: they are not affiliated with WhatsApp, and they discourage bulk, automated, or stalkerware-style use. There is no SLA, no support, and no compliance guarantee.

Risk scales with how 'commercial' your behaviour looks. A brand-new number, high send volume, cold outreach to people who never messaged you, and identical bulk content are the strongest triggers. A low-traffic personal automation on an aged number is less likely to be flagged — but 'less likely' is not 'safe.' If losing the number would hurt your business, do not put it on an unofficial client.

Treat unofficial numbers as disposable

If you use Baileys or whatsapp-web.js, assume the linked account can be banned at any time. Never use your primary business number, keep backups of session state and contacts, and never rely on it for revenue-critical messaging.

The Cloud API, by contrast, is the sanctioned channel. It is governed by the WhatsApp Business Messaging Policy and Commerce Policy, and quality matters: a low quality rating can throttle your messaging limits or pause specific templates. But you are not at risk of a surprise account ban for simply using the API as intended — compliance is built into the model rather than fought against it.

Scalability and messaging limits

The Cloud API enforces messaging limits on business-initiated template messages. Since the October 7, 2025 change, these limits apply at the Business Portfolio level rather than per phone number — so the starting tier of 250 unique recipients per rolling 24 hours is itself shared across your whole portfolio, not granted afresh to each number you add. From that 250 floor, the limit rises to 1,000 after Business Verification, then 10,000, 100,000, and eventually unlimited as your volume and quality rating prove out. Service messages (replies inside the window) are unlimited.

Unofficial libraries have no formal limits — but that is a trap, not a feature. There is no enforced ceiling because there is no sanctioned channel; the practical ceiling is 'how much can you send before WhatsApp's spam detection bans you.' For genuine scale, the Cloud API's predictable, published tiers are far more useful than an unofficial library's unbounded-until-banned behaviour.

Dimension	Cloud API (official)	Unofficial libraries
Hosting	Meta-hosted REST/Graph API	Self-hosted client on your server
Cost	Per delivered template message	Free (software); your infra only
Onboarding	WABA + number + Business Verification	Scan a QR / pairing code
Compliance	Fully ToS-compliant	Violates WhatsApp ToS
Ban risk	Protected when used as intended	High; permanent bans without warning
Scaling	Published, tiered, portfolio-level limits	Unbounded until detected/banned
Support / SLA	Yes (Meta or BSP)	None
Free-form messages	Only inside 24h window	Anytime (no window)

Which should you actually use?

Choose the WhatsApp Business Cloud API for anything production, commercial, or high-volume: customer support at scale, OTPs and authentication, transactional alerts, and compliant marketing notifications. You pay per template plus any BSP markup, and you accept onboarding friction — in exchange for reliability, deliverability, support, and protection from bans. For any business that depends on WhatsApp, this is the only responsible choice.

Choose an unofficial library only for hobby projects, prototypes, internal tooling, or personal automation on a number you can afford to lose. Pick Baileys when you want a lightweight, browser-free WebSocket client; pick whatsapp-web.js when you prefer a simple, batteries-included API and don't mind running headless Chromium. Just go in clear-eyed: it is free but ToS-violating, with real legal and operational risk and zero guarantees. It is not a drop-in replacement for the Cloud API in a business setting.

There is also a third, complementary category worth knowing. If your real need is simply to verify whether numbers are on WhatsApp and enrich them with public profile data before you message them, you don't need a full messaging client at all. A read-only profile lookup checks registration and returns public details such as the profile picture, display name, about text, and business-account flag — without logging in as a user or risking a messaging ban. Clean your list with one of those, then message the valid contacts compliantly through the Cloud API.

Frequently asked questions

Verify and enrich numbers before you message them

Clean your contact list first: check whether each number is on WhatsApp and pull its public profile, name, and business flag — no messaging client required. A natural complement to the Cloud API.

Explore the WhatsApp Profile API

Sources & further reading

More from the blog

Written by

Eduardo Airaudo

Developer and founder of the WhatsApp Profile API. Building WhatsApp tooling and APIs since 2022.