The action calls can be performed like
curl -X GET 'http://Nuki-Bridge-FOO:8080/lockAction?action=1&token=BAR&nukiId=BAZ'
In particular using the
GET method is a violation of the HTTP specs. In short: “GET” may not have side effects. Unlocking a door is like the mother of all side effects.
This is not just a theoretical argument. Here is one example: somebody writes down the URL
http://Nuki-Bridge-FOO:8080/lockAction?action=1&token=BAR&nukiId=BAZ in a wiki in the local network. In the simple case some other user just clicks it by accident and unintentionally unlocks the door. Worse: the wiki might be a fancy one. In a background process it calls the in the wiki entered URLs to provide enrichments. It might do this even periodically, or at some unexpected time in the future (after a software update for example). Every time it calls this URL the door will then unlock!
There are other applications which behave likewise (chat apps, …). They all perform reasonably because GETing an URL may not have side effects.
GET on this URL and switch to
In the long run you might want to redesign your API in more depth. I am aware that devices like the bridge come with (hardware) constraints. But there are a few other bad practices currently implemented in the API. One of them makes the stated problem from above as bad as it is.
Best wishes, Tom