[stilldavid]

This is now supported as of a few weeks ago! I just set it up for a new domain using a cancel-able API key.

[watermelon0]

I've just checked it, but with API tokens, I can only allow 'edit' rights on DNS records for a specific domain.

There is no way to create a token allowing access only to _acme-challenge record.

[tialaramex]

You can use the CNAME trick to canonicalize all ACME challenge requests into a subdomain you reserved for this purpose and then give the tokens access to that subdomain.

Let's Encrypt is obeying normal DNS mechanics, so when they ask for a TXT record for _acme-challenge.cat-photos.example.com and get a CNAME as a response, they'll ask for the TXT record for the name in the CNAME answer instead. If that's cat-photos.cert-issuer.example.com then a token valid only for the sub-domain cert-issuer.example.com can write that TXT record.

You sort out the CNAME once, probably when creating cat-photos.example.com or setting it up to get a certificate, and then afterwards the API token is enough for automation.