FWIW, there are ways to use DNS-01 without an API key that can control your entire domain.

https://hsm.tunnel53.net/article/dns-for-acme-challenges/