whereisthis.place

Integrations

Developers & integrations

whereisthis.place is built primarily as a web application for analysts, journalists, and photographers — not as a public REST API product. This page documents how the existing upload pipeline works under the hood, what internal endpoints power the UI, how credits and privacy constraints apply, and how to reach us for enterprise or bulk integrations.

Last updated July 14, 2026

An honest overview for integrators

If you are evaluating whereisthis.place for a product integration, start with what we actually ship today: a browser-based photo geolocation tool with free client-side EXIF extraction and optional AI visual analysis. The primary interface is the web app at whereisthis.place — upload a photo, review metadata, run analysis, inspect ranked predictions on a map.

We do not publish OpenAPI docs, API keys, or a versioned public REST API for third-party developers. The endpoints described on this page — /api/analyze and /api/exif — exist to power our own frontend. They are session- and cookie-aware, subject to the same credit limits and anonymous usage caps as the UI, and may change without a deprecation schedule.

That transparency matters. Competitors like Picarta ship documented Python APIs for batch geolocation; whereisthis.place optimizes for interactive analyst workflows — fast EXIF reads, human-readable prediction cards, map verification, and privacy-first in-memory image handling. If your use case is high-volume automated pipelines, talk to us first rather than reverse-engineering internal routes.

For teams that need programmatic access at scale — newsroom CMS plugins, OSINT platform embeds, bulk archive processing, or on-premise deployment — we offer enterprise arrangements through /contact. Those engagements can include dedicated API credentials, SLAs, custom rate limits, and integration support. What follows documents the current web-app architecture so technical evaluators understand the system before reaching out.

The web app is the supported interface

Every feature a developer might want to replicate — EXIF GPS display, AI geolocation with up to five ranked predictions, confidence scores, geocoded coordinates, search history for logged-in users — is accessible through the standard web UI. New accounts receive one free AI search credit on signup; EXIF extraction never consumes credits.

The upload flow begins in the browser. When a user selects an image, exifr parses metadata locally before any network request. If GPS coordinates are present, the UI shows them immediately without calling our servers. Only when the user proceeds to AI analysis — or when server-side EXIF re-parsing is needed for formats like HEIC — does data leave the device.

Authenticated users with wallet credits or an active Pro subscription can run unlimited analyses within fair-use bounds. Anonymous visitors receive one free AI search per browser session, tracked via an httpOnly cookie. These rules apply equally to direct UI usage and to any script calling /api/analyze with the user's session cookies.

We recommend embedding links to whereisthis.place (e.g., 'Analyze this image') rather than proxying our internal endpoints through your backend without coordination. Undocumented integrations break when we ship UX improvements, and they may violate our acceptable use policy if used for stalking, doxxing, or non-consensual tracking.

  1. User uploads image in browser; EXIF parsed client-side.
  2. If GPS exists, coordinates display free — no server round-trip required.
  3. User triggers AI analysis; frontend POSTs to /api/analyze with session cookies.
  4. Server validates credits or anonymous quota, runs vision model or EXIF geocode path.
  5. Response returns searchId, predictions array, and reveal status.
  6. Logged-in users see full results; anonymous users may need registration to reveal AI predictions.

POST /api/analyze — AI geolocation pipeline

The /api/analyze endpoint is the core of our analysis pipeline. It accepts a JSON body with three fields: imageBase64 (a data URL or raw base64 string), mode (either geolocalize or georeference), and an optional exif object with latitude, longitude, timestamp, make, and model fields pre-extracted by the client.

When EXIF GPS coordinates are present and valid, the server skips the vision model entirely — it geocodes the coordinates via OpenStreetMap/Nominatim and returns predictions derived from metadata. This path is free and does not deduct credits. When GPS is absent, the server sends the image to our vision model provider (AIMLAPI), receives ranked place hypotheses, resolves each to coordinates, and returns up to five predictions with confidence scores and reasoning text.

Authentication is implicit: the endpoint reads the Supabase session from cookies for logged-in users, or an anonymous token cookie (witp_anon_token) for visitors. Credit checks run server-side before inference. Logged-in users without credits receive HTTP 402 with { error: insufficient_credits, redirect: /pricing }. Anonymous users who already consumed their free search receive HTTP 403 with { error: anon_limit_reached, redirect: /register }.

Successful responses include searchId (UUID), mode, exif (merged client + server metadata), predictions (array of place objects with lat, lng, confidence, reasoning), revealed (boolean — whether full results are visible), isAnon, and exifOnly flags. The server stores a small thumbnail and prediction JSON in our database; the original full-resolution image is not persisted.

Important limitations for integrators: there is no API key header, no CORS configuration for third-party origins, and no webhook callback. Requests must originate from a same-origin browser context (or a server-side proxy you build with explicit permission). The example below mirrors what our React frontend sends — it will not work from an arbitrary external domain without session cookies.

// Same-origin browser call — mirrors the web app upload flow.
// Requires an active session cookie (logged-in or anonymous).

async function analyzePhoto(dataUrl: string) {
  const response = await fetch("/api/analyze", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    credentials: "include", // sends Supabase + anon session cookies
    body: JSON.stringify({
      imageBase64: dataUrl,
      mode: "geolocalize", // or "georeference"
      exif: null,          // pass client-parsed EXIF when available
    }),
  });

  const result = await response.json();

  if (!response.ok) {
    if (result.redirect) window.location.href = result.redirect;
    throw new Error(result.error ?? "Analysis failed");
  }

  // result.predictions — up to 5 ranked { place, city, country, lat, lng, confidence, reasoning }
  // result.searchId     — UUID for history / reveal flows
  // result.revealed     — false for anonymous AI searches until registration
  return result;
}
HTTP statusMeaningTypical action
200Analysis succeededRender predictions or redirect to results
400Missing imageBase64 or modeValidate request payload
402Insufficient credits (logged-in)Redirect user to /pricing
403Anonymous free search already usedPrompt registration at /register
422HEIC placeholder without GPSAsk user for JPEG/PNG export
500Server or model errorRetry or show user-friendly message

Error responses mirror UI behavior — always check the redirect field.

POST /api/exif — server-side metadata extraction

The /api/exif endpoint provides a fallback when client-side EXIF parsing fails — common with HEIC files from iPhones, corrupted metadata, or formats exifr cannot read in the browser. It accepts multipart form data with a single file field and returns { exif } where exif may be null if no metadata is found.

Unlike /api/analyze, this endpoint does not require authentication, deduct credits, or run AI inference. It only extracts metadata from the uploaded buffer using our server-side exif library. The web app calls it selectively when client parsing returns empty GPS but the user still wants to attempt a metadata read before committing an AI credit.

Privacy note: the uploaded file is processed in memory and discarded after extraction — consistent with our policy that full-resolution photographs are not stored. Only the extracted metadata fields travel forward if the user subsequently runs /api/analyze.

This endpoint is also not a public API product. It lacks rate-limit documentation for external callers and is not designed for bulk archive ingestion. For batch EXIF extraction across thousands of files, contact us to discuss enterprise options rather than hammering an undocumented route.

// Server-side EXIF fallback — multipart upload, no credits required.

async function extractExifServerSide(file: File) {
  const form = new FormData();
  form.append("file", file);

  const response = await fetch("/api/exif", {
    method: "POST",
    credentials: "include",
    body: form,
  });

  const { exif } = await response.json();
  // exif: { latitude?, longitude?, timestamp?, make?, model? } | null
  return exif;
}

Credit model and access tiers

Credits gate AI visual analysis, not EXIF reads. One credit equals one photo analyzed by the vision model. EXIF GPS extraction — whether client-side or via /api/exif — is always free. When GPS coordinates exist, /api/analyze uses the free geocode path even though it technically hits the same endpoint.

New registered accounts receive one free credit on signup. Additional credits are available through wallet packs (one-time purchase, never expire) or a Pro subscription (100 credits per month with priority processing). Anonymous browser sessions bypass the credit system but are limited to a single AI search per cookie lifetime.

Developer accounts with @whereisthis.place email addresses may have unlimited access for internal testing — this is not available to external integrators. There is no pay-per-API-call pricing tier exposed programmatically; billing flows through Stripe on the /pricing page.

If you are building an integration that will consume hundreds or thousands of credits monthly, stop here and use /contact. We can structure volume pricing, invoicing, and dedicated quotas that the self-serve wallet was not designed to support.

TierAI searchesEXIFHistory
Anonymous1 per browser sessionUnlimited, freeNot saved
Free account1 signup credit, then purchaseUnlimited, freeSaved when logged in
Wallet creditsPer purchased packUnlimited, freeFull history
Pro subscription100/monthUnlimited, freeFull history + priority
EnterpriseCustom volumeUnlimited, freeCustom retention terms

EXIF is always free across every tier.

Privacy, retention, and data handling

whereisthis.place processes uploaded photographs in memory and does not persist full-resolution images. After analysis, only a small thumbnail (capped around 50 KB) and the predictions JSON are stored in Supabase — enough to show search history, not enough to reconstruct the original scene.

EXIF metadata extracted client-side stays on the device until the user explicitly runs AI analysis. At that point, metadata fields merge with server-side re-parsing results and are stored alongside the search record. See our privacy policy for the complete data inventory.

We do not sell user data or use uploaded images for model training. Third-party processors involved in a typical analysis include Supabase (auth and database), AIMLAPI (vision inference), Mapbox (map tiles), and OpenStreetMap/Nominatim (geocoding). Images sent to AIMLAPI are transmitted for inference only.

Integrators embedding our tool should communicate this pipeline to their end users. If your product requires zero third-party inference, enterprise on-premise arrangements may be possible — that is a sales conversation, not a self-serve configuration.

  • Full-resolution images: processed in memory, not stored.
  • Thumbnails: small JPEG stored for search history UI.
  • Predictions JSON: stored with searchId for logged-in users.
  • EXIF fields: stored only when analysis is run.
  • Payment data: handled entirely by Stripe.

Enterprise, bulk processing, and custom APIs

We do not offer a self-serve developer portal with API keys today. If your organization needs programmatic geolocation at scale — wire-service verification pipelines, CMS plugins, DAM integrations, OSINT platform embeds, or batch processing of archival collections — reach out via /contact with your volume estimate, latency requirements, and compliance constraints.

Enterprise engagements can include: dedicated API credentials with documented endpoints, custom rate limits and SLAs, volume pricing outside the consumer wallet, webhook or callback delivery, SSO integration, data residency discussions, and on-premise or VPC deployment for sensitive environments.

We are honest about capability gaps. Our vision model excels at interactive single-image analysis with human verification — not at real-time video geolocation or sub-second batch throughput across millions of files. Scoping conversations upfront prevent mismatched expectations.

Journalism teams, OSINT researchers, and legal investigators are common enterprise customers. We prioritize use cases with clear public-interest value and enforce our acceptable use policy against stalking, harassment, and non-consensual location tracking in every integration agreement.

Recommended integration patterns

Deep link to the upload UI: The simplest integration. Pass users to whereisthis.place with UTM parameters for attribution. No engineering maintenance, full privacy UX, and users benefit from map verification tools.

iframe or widget (by request): Not available self-serve. Some publishers want an embedded upload box. Contact us — we evaluate iframe and white-label options case by case, especially for newsroom CMS plugins.

Server-side proxy (enterprise only): Your backend holds API credentials we issue under contract, accepts images from your users, forwards to our inference pipeline, and returns predictions. This is the pattern for high-volume integrations and requires a signed agreement.

Metadata-only workflow: If your users already have EXIF GPS, you may not need our AI at all. OpenStreetMap/Nominatim reverse geocoding may suffice. Our free EXIF path exists for users who want a polished map UI without building geocoding themselves — link them to /exif-gps-photo-finder rather than rebuilding the pipeline.

PatternEffortBest for
Link to web appMinimalJournalists, one-off verification
Client-side EXIF + our UILowPhotographers with GPS-tagged files
Undocumented /api/analyzeMedium, fragilePrototypes only — not supported
Enterprise API proxyHighNewsrooms, OSINT platforms, archives

We support the first, second, and fourth patterns. The third is documented here for transparency, not endorsement.

Frequently asked questions

Does whereisthis.place have a public REST API?+

No. The primary interface is the web application. Internal endpoints (/api/analyze, /api/exif) power our frontend and are not documented as a public integration surface. Enterprise API access is available on request via /contact.

Can I call /api/analyze from my backend server?+

Not without an enterprise agreement. The endpoint expects same-origin browser cookies for session and credit management. Server-to-server integration requires credentials we issue under contract — contact us to discuss.

Is EXIF extraction free for API callers?+

Yes. EXIF GPS reads — client-side or via POST /api/exif — never consume credits. Only AI visual analysis (when GPS is absent) costs one credit per image.

What analysis modes are supported?+

Two modes: geolocalize (estimate where a photo was taken from visual clues) and georeference (align an image to map coordinates when approximate location is known). Both use the same endpoint with the mode field in the request body.

How are anonymous users rate-limited?+

Anonymous visitors receive one free AI search per browser session, tracked via an httpOnly cookie (witp_anon_token). Subsequent AI requests return HTTP 403 with a redirect to /register. EXIF reads are unlimited.

Are uploaded images stored?+

Full-resolution images are processed in memory and discarded. We store a small thumbnail and predictions JSON for search history. See /privacy for details.

Can I get API keys for batch processing?+

API keys and batch endpoints are not self-serve. For volume integrations — archives, CMS pipelines, OSINT platforms — contact us with your expected monthly volume and use case.

What happens when credits run out mid-integration?+

Logged-in users receive HTTP 402 with { error: insufficient_credits, redirect: /pricing }. Your integration should surface this and direct users to purchase credits or upgrade to Pro.

Related reading

Need enterprise API access?

Tell us about your volume, latency requirements, and compliance needs. We will scope a custom integration — dedicated credentials, SLAs, and volume pricing.

Contact us