WhatsApp Gateway
API referenceContacts

Get a contact's profile picture

Fetches the contact's current profile picture from WhatsApp and returns its URL and metadata. This is a **live lookup** against WhatsApp — the session must be **connected**. If the session is not connected the gateway responds `501` (`not_implemented`). The returned URL points at WhatsApp's CDN and is time-limited; fetch it promptly. **Auth:** requires the `read` capability. **Errors:** `404` (`not_found`) if the session does not exist or is not owned by the caller's organization (also returned when the contact has no accessible picture, depending on privacy settings); `501` (`not_implemented`) if the session is not connected.

GET
/api/v1/sessions/{session}/contacts/{jid}/picture

Authorization

AuthorizationBearer <token>

Send Authorization: Bearer <token>. The router accepts two kinds of token and tries each in turn: a frontend-minted login JWT (verified against the frontend JWKS; the person's org + role are read from it), or an api-key for a script/service (carrying a fixed set of gateway permissions). The bearerFormat: JWT label describes the person-login case.

In: header

Path Parameters

session*string

The WhatsApp session id used to perform the live action. The session must be connected.

jid*string

A WhatsApp JID — the address of a user (e.g. "14155550123@s.whatsapp.net"), group ("...@g.us"), or channel. For contact picture/about/block/unblock this is the target user's JID.

Response Body

application/json

application/json

curl -X GET "https://example.com/api/v1/sessions/sess_01HZX/contacts/14155550123@s.whatsapp.net/picture"
{  "id": "string",  "url": "string"}
{  "error": {    "code": "not_found",    "details": {      "property1": null,      "property2": null    },    "message": "session not found"  }}

Block a contact POST

Tells WhatsApp to block this contact so they can no longer message the session. This is a **live action** against WhatsApp — the session must be **connected**. If the session is not connected the gateway responds `501` (`not_implemented`). The operation is **idempotent**: blocking an already-blocked contact succeeds with the same `204` and no additional effect. On success the response body is empty. **Auth:** requires the `send` capability. **Errors:** `404` (`not_found`) if the session does not exist or is not owned by the caller's organization; `501` (`not_implemented`) if the session is not connected.

Unblock a contact POST

Tells WhatsApp to unblock this contact so they can message the session again. This is a **live action** against WhatsApp — the session must be **connected**. If the session is not connected the gateway responds `501` (`not_implemented`). The operation is **idempotent**: unblocking a contact who is not blocked succeeds with the same `204` and no additional effect. On success the response body is empty. **Auth:** requires the `send` capability. **Errors:** `404` (`not_found`) if the session does not exist or is not owned by the caller's organization; `501` (`not_implemented`) if the session is not connected.