Web API Gateway for a Real-Time Healthcare Platform
Designed & Delivered a secure, scalable, and reliable API Gateway that simplified integrations across units.
Architected a central API Gateway that became the single entry point for patients, clinics, and partners. It improved scalability, strengthened security with JWT-based access, and simplified integrations across 500+ distributed healthcare units.
Business Challenge
As the healthcare platform grew to support 500+ healthcare-units, we needed a secure and scalable way to connect mobile apps, web apps, and third-party systems with backend services. Without a central gateway, services were hard to secure, traffic was inconsistent, and scaling each integration separately became messy and error-prone.
Vision & Strategy
The goal was to design a single-entry point — an API Gateway — that would handle authentication, routing, and monitoring while making sure every request reached the right backend system, whether in the cloud or at a distributed healthcare-unit. This would simplify integrations, improve security, and give us flexibility to grow.
Architecture Solution
I designed and implemented a RESTful API Gateway using ASP.NET Core, which serves as the front door of the healthcare ecosystem. It manages requests from patients, HCU staff, and external service provider partners, ensuring secure and seamless communication across the platform.
Key responsibilities of the gateway:
Authentication & Security: Handles JWT-based authentication, role-based access control (RBAC), and rate limiting.
Traffic Routing: Supports both centralized portal services and distributed healthcare-unit services via the WebSocket Gateway.
Observability: Provides centralized logging, monitoring, and audit trails using Serilog.
High-Level Flow (Context View)
Shows how patients and third-party partners interact with the API Gateway, portal, and distributed healthcare units.
System Breakdown (Container View)
Illustrates the internal components of the API Gateway (authentication, RBAC, routing engine, logging) and how they connect to the Portal Database and WebSocket Gateway.
Request Processing (Component / Sequence View)
Shows how the Routing Engine works:
Type A controllers → Route traffic to the central portal database for cloud-based services.
Type B controllers → Route traffic to the WebSocket Gateway, which relays requests to the appropriate healthcare unit.
If the healthcare unit responds, the gateway returns the result. If not, the request times out or returns a “client not connected” response.
Key Features (Highlights)
JWT Token-Based Authentication for secure access.
Role-Based Access Control (RBAC) with dynamic controller mapping.
Multi-Audience Security Middleware for fine-grained permissions.
Custom Token Expiry & Secrets per role for added security.
In-Memory Config for fast access and performance.
Centralized Logging with Serilog for auditing and monitoring.
Key Architectural Decisions (ADRs)
ASP.NET Core as the API Gateway → stable, scalable, and integrates well with both SQL Server and Node.js microservices.
Two controller types (A & B) → simple yet powerful way to route traffic correctly.
JWT + RBAC → lightweight security model with role-based permissions.
Integration with Node.js WebSocket Gateway → enabled real-time communication with distributed healthcare-units.
Business Impact
Simplified integrations: All clients (apps, partners, healthcare-units) now connect through one secure gateway.
Increased reliability: Gateway handles failures, timeouts, and retries gracefully.
Improved scalability: The solution supports 500+ healthcare units and can easily scale further.
Stronger security: With multi-audience JWTs and per-role secrets, the platform complies with healthcare security requirements.