diff --git a/src/telegram/webhook.test.ts b/src/telegram/webhook.test.ts
index 5d9efe61074..6d4850e4db7 100644
--- a/src/telegram/webhook.test.ts
+++ b/src/telegram/webhook.test.ts
@@ -31,6 +31,7 @@ describe("startTelegramWebhook", () => {
     const cfg = { bindings: [] };
     const { server } = await startTelegramWebhook({
       token: "tok",
+      secret: "secret",
       accountId: "opie",
       config: cfg,
       port: 0, // random free port
@@ -62,6 +63,7 @@ describe("startTelegramWebhook", () => {
     const cfg = { bindings: [] };
     const { server } = await startTelegramWebhook({
       token: "tok",
+      secret: "secret",
       accountId: "opie",
       config: cfg,
       port: 0,
@@ -82,4 +84,12 @@ describe("startTelegramWebhook", () => {
     expect(handlerSpy).toHaveBeenCalled();
     abort.abort();
   });
+
+  it("rejects startup when webhook secret is missing", async () => {
+    await expect(
+      startTelegramWebhook({
+        token: "tok",
+      }),
+    ).rejects.toThrow(/requires a non-empty secret token/i);
+  });
 });
diff --git a/src/telegram/webhook.ts b/src/telegram/webhook.ts
index 85b5806935a..a23f0aa30a6 100644
--- a/src/telegram/webhook.ts
+++ b/src/telegram/webhook.ts
@@ -38,6 +38,13 @@ export async function startTelegramWebhook(opts: {
   const healthPath = opts.healthPath ?? "/healthz";
   const port = opts.port ?? 8787;
   const host = opts.host ?? "127.0.0.1";
+  const secret = typeof opts.secret === "string" ? opts.secret.trim() : "";
+  if (!secret) {
+    throw new Error(
+      "Telegram webhook mode requires a non-empty secret token. " +
+        "Set channels.telegram.webhookSecret in your config.",
+    );
+  }
   const runtime = opts.runtime ?? defaultRuntime;
   const diagnosticsEnabled = isDiagnosticsEnabled(opts.config);
   const bot = createTelegramBot({
@@ -48,7 +55,7 @@ export async function startTelegramWebhook(opts: {
     accountId: opts.accountId,
   });
   const handler = webhookCallback(bot, "http", {
-    secretToken: opts.secret,
+    secretToken: secret,
   });
 
   if (diagnosticsEnabled) {
@@ -124,7 +131,7 @@ export async function startTelegramWebhook(opts: {
     runtime,
     fn: () =>
       bot.api.setWebhook(publicUrl, {
-        secret_token: opts.secret,
+        secret_token: secret,
         allowed_updates: resolveTelegramAllowedUpdates(),
       }),
   });