Leaving aside the use of HTTP GET to change state, which is what the tweets focuses on, having a 'toggle' API with not state exposed is a big no-no when it comes to controls and is extremely unsafe because the effect is unknown.
Really there should be a GET to query the status of the garage door and a (authenticated) PUT (also idempotent) to set the status to an explicit value.
HTTP GET requests have stricter requirements than other idempotent methods like PUT and DELETE. HTTP GET requests should be nullipotent (no side effects).
Leaving aside the use of HTTP GET to change state, which is what the tweets focuses on, having a 'toggle' API with not state exposed is a big no-no when it comes to controls and is extremely unsafe because the effect is unknown.
Really there should be a GET to query the status of the garage door and a (authenticated) PUT (also idempotent) to set the status to an explicit value.