# `Mailglass.Webhook.Providers.SES.CertCache`
[🔗](https://github.com/szTheory/mailglass/blob/v1.0.0/lib/mailglass/webhook/providers/ses/cert_cache.ex#L1)

ETS-backed SNS X.509 certificate cache for SES webhook signature verification.

Caches RSA public key terms extracted from AWS SNS signing certificates,
keyed by `SigningCertURL`. Prevents repeated `:httpc` network calls for the
same certificate (D-10, D-12).

Cache entries expire after a configurable TTL (default 24 hours). Expiry is
checked lazily during `fetch_public_key/1` — no background timer or sweep.

## Usage

    # On cache miss in SES provider:
    case CertCache.fetch_public_key(cert_url) do
      {:ok, public_key} -> public_key
      :miss ->
        public_key = fetch_and_extract_public_key!(cert_url)
        expires_at = DateTime.add(Mailglass.Clock.utc_now(), ttl_seconds, :second)
        CertCache.put(cert_url, public_key, expires_at)
        public_key
    end

# `fetch_public_key`

```elixir
@spec fetch_public_key(binary()) :: {:ok, term()} | :miss
```

Fetches the cached RSA public key term for `url`.

Returns `{:ok, public_key}` on cache hit within TTL, `:miss` on cache miss
or if the cached entry has expired. Expired entries are evicted from ETS
before returning `:miss`.

# `put`

```elixir
@spec put(binary(), term(), DateTime.t()) :: :ok
```

Inserts `public_key` into the cache keyed by `url` with expiry `expires_at`.

Overwrites any existing entry for the same URL. The `public_key` term is
whatever `:public_key.verify/4` accepts as its fourth argument — typically
an `{:RSAPublicKey, n, e}` record extracted from an X.509 certificate.

# `reset`
*since 0.3.0* 

```elixir
@spec reset() :: :ok
```

# `table`
*since 0.3.0* 

```elixir
@spec table() :: :mailglass_webhook_ses_cert_cache
```

---

*Consult [api-reference.md](api-reference.md) for complete listing*