diff --git a/backend/bookings/admin.py b/backend/bookings/admin.py
index a078ea5..fefd222 100644
--- a/backend/bookings/admin.py
+++ b/backend/bookings/admin.py
@@ -40,8 +40,8 @@ class ReservationAdminForm(forms.ModelForm):
 class ReservationTokenInline(admin.TabularInline):
     model = ReservationToken
     extra = 0
-    readonly_fields = ("token_hash", "used_at", "created_at")
-    fields = ("purpose", "token_hash", "expires_at", "used_at", "created_at")
+    readonly_fields = ("used_at", "created_at")
+    fields = ("purpose", "expires_at", "used_at", "created_at")
     can_delete = False
 
 
@@ -231,13 +231,10 @@ class ReservationAdmin(admin.ModelAdmin):
 
 @admin.register(ReservationToken)
 class ReservationTokenAdmin(admin.ModelAdmin):
-    list_display = ("reservation", "purpose", "expires_at", "used_at", "created_at", "token_preview")
+    list_display = ("reservation", "purpose", "expires_at", "used_at", "created_at")
     list_filter = ("purpose", "expires_at", "used_at", "created_at")
     search_fields = ("reservation__name", "reservation__email", "token_hash")
-    readonly_fields = ("token_hash", "created_at", "used_at")
+    readonly_fields = ("created_at", "used_at")
+    exclude = ("token_hash",)
     list_select_related = ("reservation", "reservation__performance")
     autocomplete_fields = ("reservation",)
-
-    @admin.display(description="Token hash")
-    def token_preview(self, obj):
-        return obj.token_hash[:12]
diff --git a/backend/bookings/test_admin.py b/backend/bookings/test_admin.py
index 37367f3..016bfe7 100644
--- a/backend/bookings/test_admin.py
+++ b/backend/bookings/test_admin.py
@@ -83,3 +83,29 @@ class ReservationAdminTests(TestCase):
             "https://tickets.azionelab.example/api/reservations/confirm/?token=",
             mail.outbox[0].body,
         )
+
+    def test_token_hash_is_hidden_in_token_admin_views(self):
+        reservation = Reservation.objects.create(
+            performance=self.performance,
+            name="Maria Rossi",
+            email="maria@example.com",
+            party_size=2,
+        )
+        token, _ = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+
+        changelist_response = self.client.get(reverse("admin:bookings_reservationtoken_changelist"))
+        change_response = self.client.get(
+            reverse("admin:bookings_reservationtoken_change", args=[token.id]),
+        )
+
+        self.assertEqual(changelist_response.status_code, 200)
+        self.assertEqual(change_response.status_code, 200)
+        self.assertNotContains(changelist_response, token.token_hash)
+        self.assertNotContains(change_response, token.token_hash)
+        self.assertContains(change_response, token.get_purpose_display())
+        self.assertContains(change_response, "Expires at")
+        self.assertContains(change_response, "Used at")