This is nice, I have some nameservers pointing to Hetzner so I can use Caddy to do domain validation via API and get https (with dedicated domains) on private LANs. But the Hetzner API keys are horribly, uncomfortably over-scoped and I haven't found a way to reduce that.

At least when I do DNS at bunny, a leaked key can't rent VMs on my CC. And I prefer EU infra (cloudflare works great though for this usecase). Who knows that my bunny account can grow into ;)