diff --git a/Makefile b/Makefile
index 3cb4a17..baa4ef5 100644
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,7 @@ csv/webrings.csv:
 
 .PHONY: hugo
 hugo: csv/webrings.csv $(SRCFILES)
-	sh scripts/get-token.sh
+	sh scripts/get-webmentions.sh
 	hugo -b $(HUGO_BASEURL) $(HUGO_FLAGS) -d $(OUTPUT_DIR)
 	mv $(OUTPUT_DIR)/about/_index.gmi $(OUTPUT_DIR)/about/index.gmi
 
diff --git a/scripts/get-token.sh b/scripts/get-token.sh
deleted file mode 100644
index 91fcaca..0000000
--- a/scripts/get-token.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-#
-# Script to authenticate with webmentiond and grab a temporary generated
-# bearer token, writing it to .webmentiond-token for Hugo to then read.
-
-set -e
-
-_key() {
-	if [ -n "$BUILD_SUBMITTER" ]; then
-		cat ~/.webmentiond-key
-	else
-		pash show webmentiond-ci-key
-	fi
-}
-
-key="$(_key)"
-
-set -u 
-
-# just a lil curl wrapper I use on seirdy.one
-alias ccurl='curl --proto "=https" --proto-default https --tlsv1.3 --cert-status --compressed'
-
-_token() {
-	ccurl -sX POST https://seirdy.one/webmentions/authenticate/access-key -d "key=$key"
-}
-
-token="$(_token)"
-
-set +u
-ccurl -H "Authorization: Bearer $token" 'https://seirdy.one/webmentions/manage/mentions?limit=9999&status=approved' >data/webmentions.json
-# printf '%s' "$token" >.webmentiond-token
diff --git a/scripts/get-webmentions.sh b/scripts/get-webmentions.sh
new file mode 100644
index 0000000..935175e
--- /dev/null
+++ b/scripts/get-webmentions.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Script to fetch all approved webmentions from webmentiond as a big json response.
+# Uses POSIX and cURL in CI, also uses any pass/pash-compatible pwmngr otherwise
+# The response is cached for 90 minutes.
+
+set -e -u
+
+auth_url='https://seirdy.one/webmentions/authenticate/access-key'
+webmentions_url='https://seirdy.one/webmentions/manage/mentions?limit=9999&status=approved'
+webmentions_file="$(realpath data/webmentions.json)"
+
+# just a little curl wrapper I use on seirdy.one
+alias ccurl='curl --proto "=https" --proto-default https --tlsv1.3 --cert-status'
+
+# use a long-lived key (password) to fetch a short-lived bearer token.
+key() {
+	set +u
+	if [ -n "$BUILD_SUBMITTER" ]; then
+		cat ~/.webmentiond-key
+	else
+		pash show webmentiond-ci-key
+	fi
+	set -u
+}
+
+token() {
+	ccurl -sX POST "$auth_url" -d "key=$(key)"
+}
+
+# use that token to fetch all webmentions
+fetch_webmentions() {
+	ccurl --compressed -H "Authorization: Bearer $(token)" "$webmentions_url"
+}
+
+# fetch webmentions if we don't have a fresh copy already.
+
+if [ -f "$webmentions_file" ] \
+	&& [ "$(find "$webmentions_file" -mmin +90)" == "" ]; then
+	echo 'Using cached webmentions'
+else
+	echo 'Fetching webmentions'
+	fetch_webmentions >"$webmentions_file"
+fi