bug or feature? API was able to create a new record even though API token does not have create permision

I was surprised when I needed to setup a DDNS to update DNS and found that it created a new record even though I didn’t give the API token create permission. I expected it to fail until I manually created the record first. First time using DigitalOcean’s DNS update service so perhaps I’m overlooking something or failing to understand what update permissions vs create permission provide. The description implies the create is needed to create a new record though it doesn’t provide exactly what a record is in this case: Create: Create domains and domain records

As a follow on, I was a bit surprised that I didn’t find a way to lock it down to just have the ability to update a single DNS record–something that would be requirement if I was using DigitalOcean in my day job for security reasons and probably used for automatic domain verification for TLS certs. For my use here it is fine to just limit update of existing records but it doens’t appear to work that way

---

I created a personal access token with just 2 scopes in it (copied below). Scopes are update and read.

Token type: Custom scope

Scopes: 2 scopes

Created: xxx

Last used: xxx

Expires: xxx

Scopes

Read Accessdomain 1 scope Update Accessdomain 1 scope Total Custom Scopes

2 scopes