Restricted access tokens for letsencrypt dns challenge


it is great that you provide integration with certbot.
To limit the risk of access tokens that are located on online systems for automated certificate renewal it would be nice if one could create ‘letsencrypt only’ tokens that are only authorized to create/change
_acme-challenge TXT records.

What do you think about a feature like that?

To give a specific example:
for a webserver running
one would create a specific access token, and that letsencrypt-only token can only create/modify
TXT records for but not for

1 Like

Hi appliedprivacy,

We have been thinking about scoped tokens in general, also to associate them with a specific set of domains, for example (so that domains within the same account can be managed more granularly).

At the moment, we have not started implementing this, but it’s definitely an important feature. You can track progress here:

If you have more feature requests, it may be easier if you open a GitHub ticket directly.

Stay secure,

Probably more like a workaround, but you can CNAME the _acme_challenge DNS entries to a different (sub-) domain that may be managed by a different account and therefore have a different api token. That way, a compromise of the second account will not result in the attacker being able to hijack the whole domain.

1 Like

The CNAME variant works fine with lego ( )

also relevant in this context, this blog post by the EFF and their software solution to this: ACME-DNS

(you can jump to the section “Use ACME-DNS”, but it has no DNSSEC support…)


i saw that the commit for restricted token is ready to be applied.

Do you have any ETA or schedule for this to be enabled ?

Thank you again for this service,


Dear NewRedsquare,

we’re aiming at having the token scoping available at the end of the year. For more detailed information, please track the issue/PR on GitHub.


1 Like