it is great that you provide integration with certbot.
To limit the risk of access tokens that are located on online systems for automated certificate renewal it would be nice if one could create ‘letsencrypt only’ tokens that are only authorized to create/change
_acme-challenge TXT records.
What do you think about a feature like that?
To give a specific example:
for a webserver running www.example.com
one would create a specific access token, and that letsencrypt-only token can only create/modify
TXT records for _acme-challenge.www.example.com but not for _acme-challenge.webmail.example.com
Probably more like a workaround, but you can CNAME the _acme_challenge DNS entries to a different (sub-) domain that may be managed by a different account and therefore have a different api token. That way, a compromise of the second account will not result in the attacker being able to hijack the whole domain.