I completely understand you and couldn’t agree more. What’s weird then is that it accepted the token-based API even though the version claims that it doesn’t support it. In a previous execution of the command, I did give it an e-mail and global API key, so maybe it cached the global API key and used it (despite me giving it a different file and the fact that it shouldn’t be doing that for security purposes)?
I could test it by revoking/changing my global API key and seeing if a dry run of a renewal works, but it’s too much effort for too little benefit, since it works now and it’s not that much of a security risk for my single-domain Cloudflare account. I’m just trying to follow security best practice. 