So, from the look of things, you are taking the token from the challenge resource, and using it as the value of your TXT record.
This is not how the token is used.
For the DNS-01 challenge (RFC 8555 - Automatic Certificate Management Environment (ACME)), you:
- Take the challenge token
- Derive the key authorization value using (1)
- Take the SHA-256 digest of the value from (2)
- Take the
base64urlencoding of the value from (3) - Set your TXT record to the value from (4)
Generally, when you use an ACME client like Certbot or dehydrated, the client will give you the final value you need, saving you the trouble of steps 1-4.
Looking at https://github.com/dehydrated-io/dehydrated/blob/master/docs/dns-verification.md ,
$3 is a "challenge token" (which is not needed for dns-01), and
$4 is a token which needs to be inserted in a TXT record for the domain.
It sounds like you are using $3, but need to be using $4.