3. Subscriptions – “Tell me the moment something happens”
This is where GraphQL stops being polite small talk and starts being genuinely cool.
A Query is “What’s the patient’s appointment status right now?” A Subscription is “Text me the second it changes.” It’s the difference between refreshing your package tracking page every five minutes like a caveman, and getting a push notification the moment your package leaves the depot.
Subscriptions work over WebSocket, not regular HTTP. Your client opens a connection and just… waits. No polling, no setInterval hackery, no shame.
subscription OnAppointmentStatusChanged {
appointmentStatusChanged(patientId: "patient-001") {
id
status
}
}
In my POC, the moment a doctor updates an appointment from SCHEDULED to IN_PROGRESS, the patient’s dashboard updates live, no refresh button required. The server publishes an event, the subscription catches it, the UI lights up. It genuinely felt like magic the first time I saw it work, right up until it didn’t work, at which point it felt like a personal attack. (Pro tip: check your WebSocket connection before assuming the universe hates you specifically.)
Catchy summary: Queries ask once. Mutations act once. Subscriptions never shut up, in the best possible way.
4. Access Control – “Not everyone gets to see everything”
Here’s the plot twist nobody warns you about: building the API is the easy part. Deciding who’s allowed to do what is where things get spicy.
In a healthcare system, this isn’t optional, it’s the whole point. A patient should not be able to query another patient’s medical records. A nurse shouldn’t be able to delete a doctor’s account. And under no circumstances should anyone except doctors and admins be allowed to look at sensitive fields like a patient’s SSN.
This is Role-Based Access Control, or RBAC if you enjoy acronyms with that slightly bureaucratic flavor.
The idea is simple even if the implementation has layers:
- Authentication answers “who are you?”, usually a JWT token you get after logging in.
- Authorization answers “what are you allowed to do, now that I know who you are?”
In practice, this means every single GraphQL operation gets checked against the user’s role before it’s allowed to run:
|
Role |
Can do |
|
PATIENT |
See their own appointments and prescriptions only |
|
NURSE |
View patients, update appointment status |
|
DOCTOR |
All of the above, plus create prescriptions |
| ADMIN |
Everything, including the spicy fields like SSN |
The genuinely fun part is field-level access control, not just “can you run this query,” but “can you see this specific field in the response.” A patient querying their own record gets ssn: null even though the field exists in the schema. Same query, different human, different answer. It’s GraphQL quietly redacting a document right in front of you, like a polite government agency.
The line to remember: Authentication is the bouncer checking your ID. Authorization is the bouncer deciding which rooms you’re allowed in once you’re inside. Don’t confuse the two, or you’ll spend three hours debugging a “bug” that’s actually just you skipping a step.
Putting it all together (without losing your mind)
Here’s the mental model that finally made it click for me:
- Schema = the contract. What data exists, what shapes it comes in.
- Queries = reading that data.
- Mutations = changing that data.
- Subscriptions = getting notified the instant that data changes, live.
- RBAC = the bouncer making sure everyone only sees and touches what they’re supposed to.
Four concepts. One mental model. No PhD required.
The thing that genuinely surprised me building this out is how composable it all is. Once your schema is solid, Queries and Mutations practically write themselves. Subscriptions are just Mutations with a megaphone. And RBAC is just… rules, applied consistently, everywhere, without exception, the same discipline you’d want from a strict but fair teacher.
Go build the thing
I built a complete working version of everything above, patients, doctors, appointments, prescriptions, real-time subscriptions, full role-based access control, using Node.js, TypeScript, PostgreSQL, and React. No ORM, no shortcuts, raw SQL the whole way through, so you can actually see what’s happening under the hood instead of trusting a magic box.
Repo link: https://github.com/ArzooJain-25/healthcare-graphql-poc
Clone it, run it, break it, fix it. That’s genuinely the fastest way to learn this stuff, not by reading one more blog post (yes, even this one), but by watching a query fail, swearing quietly, and figuring out why.
GraphQL isn’t scary. It’s just REST that finally went to therapy and learned to communicate its needs clearly.
PakarPBN
A Private Blog Network (PBN) is a collection of websites that are controlled by a single individual or organization and used primarily to build backlinks to a “money site” in order to influence its ranking in search engines such as Google. The core idea behind a PBN is based on the importance of backlinks in Google’s ranking algorithm. Since Google views backlinks as signals of authority and trust, some website owners attempt to artificially create these signals through a controlled network of sites.
In a typical PBN setup, the owner acquires expired or aged domains that already have existing authority, backlinks, and history. These domains are rebuilt with new content and hosted separately, often using different IP addresses, hosting providers, themes, and ownership details to make them appear unrelated. Within the content published on these sites, links are strategically placed that point to the main website the owner wants to rank higher. By doing this, the owner attempts to pass link equity (also known as “link juice”) from the PBN sites to the target website.
The purpose of a PBN is to give the impression that the target website is naturally earning links from multiple independent sources. If done effectively, this can temporarily improve keyword rankings, increase organic visibility, and drive more traffic from search results.
