diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..7732a47
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,11 @@
+repos:
+  - repo: local
+    hooks:
+      - id: no-telegram-bot-token
+        name: Block Telegram bot tokens
+        # Matches tokens of format: 1234567890:AAFisjLS-yO_AmwqMjpBQgfV9qlHnexZlMs
+        # Pattern: 9-10 digits, colon, "AA", then 35 alphanumeric/dash/underscore chars
+        entry: '\d{9,10}:AA[A-Za-z0-9_-]{35}'
+        language: pygrep
+        types: [text]
+        exclude: '^\.pre-commit-config\.yaml$'
diff --git a/backend/telegram.py b/backend/telegram.py
index e8af507..4b37a7e 100644
--- a/backend/telegram.py
+++ b/backend/telegram.py
@@ -106,7 +106,8 @@ async def send_registration_notification(
                     resp.text,
                 )
     except Exception as exc:
-        logger.error("send_registration_notification error: %s", exc)
+        # Do not log exc directly — httpx exceptions embed the full API URL with BOT_TOKEN
+        logger.error("send_registration_notification error: %s", type(exc).__name__)
 
 
 async def answer_callback_query(callback_query_id: str) -> None:
@@ -118,7 +119,8 @@ async def answer_callback_query(callback_query_id: str) -> None:
             if resp.status_code != 200:
                 logger.error("answerCallbackQuery failed %s: %s", resp.status_code, resp.text)
     except Exception as exc:
-        logger.error("answerCallbackQuery error: %s", exc)
+        # Do not log exc directly — httpx exceptions embed the full API URL with BOT_TOKEN
+        logger.error("answerCallbackQuery error: %s", type(exc).__name__)
 
 
 async def edit_message_text(chat_id: str | int, message_id: int, text: str) -> None:
@@ -132,7 +134,8 @@ async def edit_message_text(chat_id: str | int, message_id: int, text: str) -> N
             if resp.status_code != 200:
                 logger.error("editMessageText failed %s: %s", resp.status_code, resp.text)
     except Exception as exc:
-        logger.error("editMessageText error: %s", exc)
+        # Do not log exc directly — httpx exceptions embed the full API URL with BOT_TOKEN
+        logger.error("editMessageText error: %s", type(exc).__name__)
 
 
 async def set_webhook(url: str, secret: str) -> None: