diff --git a/braintrust/templates/api-configmap.yaml b/braintrust/templates/api-configmap.yaml
index 25c91d1..968696a 100644
--- a/braintrust/templates/api-configmap.yaml
+++ b/braintrust/templates/api-configmap.yaml
@@ -1,3 +1,9 @@
+{{- $orgName := .Values.global.orgName | default "" | toString | trim -}}
+{{- $primaryOrgName := .Values.global.primaryOrgName | default "" | toString | trim -}}
+{{- if and (or (eq $orgName "") (eq $orgName "*")) (eq $primaryOrgName "") -}}
+{{- fail "global.primaryOrgName is required when global.orgName is empty or \"*\"; self-hosted service-token management needs a primary organization." -}}
+{{- end -}}
+{{- $allowedOrgIds := .Values.global.allowedOrgIds | default "" | toString | trim -}}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -13,7 +19,11 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 data:
-  ORG_NAME: {{ .Values.global.orgName | quote }}
+  ORG_NAME: {{ $orgName | quote }}
+  PRIMARY_ORG_NAME: {{ $primaryOrgName | quote }}
+  {{- with $allowedOrgIds }}
+  ALLOWED_ORG_IDS: {{ . | quote }}
+  {{- end }}
 
   {{- if eq .Values.cloud "azure" }}
   AZURE_STORAGE_ACCOUNT_NAME: {{ .Values.objectStorage.azure.storageAccountName | quote }}
diff --git a/braintrust/tests/api-configmap_test.yaml b/braintrust/tests/api-configmap_test.yaml
index 4c156a1..bc2984d 100644
--- a/braintrust/tests/api-configmap_test.yaml
+++ b/braintrust/tests/api-configmap_test.yaml
@@ -16,6 +16,9 @@ tests:
       - equal:
           path: data.ORG_NAME
           value: "test-org"
+      - equal:
+          path: data.PRIMARY_ORG_NAME
+          value: ""
       - equal:
           path: data.BRAINSTORE_ENABLED
           value: "true"
@@ -23,6 +26,90 @@ tests:
           path: data.BRAINSTORE_DEFAULT
           value: "force"
 
+  - it: should omit allowed org IDs when unset
+    values:
+      - __fixtures__/base-values.yaml
+    release:
+      namespace: "braintrust"
+    asserts:
+      - isNull:
+          path: data.ALLOWED_ORG_IDS
+
+  - it: should omit allowed org IDs when blank
+    values:
+      - __fixtures__/base-values.yaml
+    set:
+      global.allowedOrgIds: "   "
+    release:
+      namespace: "braintrust"
+    asserts:
+      - isNull:
+          path: data.ALLOWED_ORG_IDS
+
+  - it: should include allowed org IDs when configured
+    values:
+      - __fixtures__/base-values.yaml
+    set:
+      global.allowedOrgIds: " org_123,org_456 "
+    release:
+      namespace: "braintrust"
+    asserts:
+      - equal:
+          path: data.ALLOWED_ORG_IDS
+          value: "org_123,org_456"
+
+  - it: should include primary org name when configured
+    values:
+      - __fixtures__/base-values.yaml
+    set:
+      global.primaryOrgName: " primary-org "
+    release:
+      namespace: "braintrust"
+    asserts:
+      - equal:
+          path: data.PRIMARY_ORG_NAME
+          value: "primary-org"
+
+  - it: should allow wildcard org name when primary org name is configured
+    values:
+      - __fixtures__/base-values.yaml
+    set:
+      global.orgName: "*"
+      global.primaryOrgName: "primary-org"
+    release:
+      namespace: "braintrust"
+    asserts:
+      - equal:
+          path: data.ORG_NAME
+          value: "*"
+      - equal:
+          path: data.PRIMARY_ORG_NAME
+          value: "primary-org"
+
+  - it: should reject empty org name without primary org name
+    values:
+      - __fixtures__/base-values.yaml
+    set:
+      global.orgName: ""
+      global.primaryOrgName: ""
+    release:
+      namespace: "braintrust"
+    asserts:
+      - failedTemplate:
+          errorMessage: "global.primaryOrgName is required when global.orgName is empty or \"*\"; self-hosted service-token management needs a primary organization."
+
+  - it: should reject wildcard org name without primary org name
+    values:
+      - __fixtures__/base-values.yaml
+    set:
+      global.orgName: "*"
+      global.primaryOrgName: "   "
+    release:
+      namespace: "braintrust"
+    asserts:
+      - failedTemplate:
+          errorMessage: "global.primaryOrgName is required when global.orgName is empty or \"*\"; self-hosted service-token management needs a primary organization."
+
   - it: should use correct namespace from helper when createNamespace is false
     values:
       - __fixtures__/base-values.yaml
diff --git a/braintrust/values.yaml b/braintrust/values.yaml
index 8d11560..778e0c3 100644
--- a/braintrust/values.yaml
+++ b/braintrust/values.yaml
@@ -1,6 +1,12 @@
 # Global configs
 global:
   orgName: "<your org name on Braintrust>"
+  # Required when orgName is empty or "*". Used to authorize self-hosted
+  # service-token management.
+  primaryOrgName: ""
+  # Optional comma-separated org ID allowlist. If orgName is a specific name,
+  # that org is included in the allowlist.
+  allowedOrgIds: ""
   # When createNamespace is true, the namespace will be created and resources will be in global.namespace
   # When createNamespace is false, resources will use .Release.Namespace (the namespace specified during helm install/upgrade)
   createNamespace: false