Comment by ehou

+1 for more restrictions on DNS API tokens. Ways to mitigate the riscs:

    - Separate account per domain .. which is a lot of work, see acceptation process in other comments

    - Use a NS record for _acme-challenge.domain.tld when having the DNS hosted elsewhere and point this to the Hetzner DNS servers