diff --git a/.env.schema b/.env.schema
index 9d90b2e..8b6b9a7 100644
--- a/.env.schema
+++ b/.env.schema
@@ -145,11 +145,12 @@ GATEWAY_BROKER_ORG_ID=
 # @sensitive=false @type=string
 SLACK_BROKER_ORG_ID=
 
-# Deprecated workspace/team ID aliases (still accepted for migration)
-# @sensitive=false @type=string(startsWith=T)
+# Deprecated workspace/team ID aliases (still accepted for migration).
+# May contain either legacy Slack workspace IDs (T...) or broker org IDs (org_...).
+# @sensitive=false @type=string
 GATEWAY_BROKER_WORKSPACE_ID=
 
-# @sensitive=false @type=string(startsWith=T)
+# @sensitive=false @type=string
 SLACK_BROKER_WORKSPACE_ID=
 
 # Gateway server X25519 private key (base64, preferred)
diff --git a/bin/broker-register.test.mjs b/bin/broker-register.test.mjs
index d76374c..35e6fb9 100644
--- a/bin/broker-register.test.mjs
+++ b/bin/broker-register.test.mjs
@@ -4,7 +4,7 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { createServer } from "node:http";
-import { pathToFileURL } from "node:url";
+import { fileURLToPath, pathToFileURL } from "node:url";
 import {
   parseArgs,
   normalizeBrokerUrl,
@@ -266,6 +266,19 @@ test("runRegistration integration path succeeds against live local HTTP server",
   }
 });
 
+test("env schema accepts org IDs for deprecated workspace aliases", () => {
+  const schemaPath = fileURLToPath(new URL("../.env.schema", import.meta.url));
+  const lines = fs.readFileSync(schemaPath, "utf8").split(/\r?\n/);
+
+  const gatewayWorkspaceIndex = lines.findIndex((line) => line.startsWith("GATEWAY_BROKER_WORKSPACE_ID="));
+  assert.notEqual(gatewayWorkspaceIndex, -1, "GATEWAY_BROKER_WORKSPACE_ID missing from .env.schema");
+  assert.equal(lines[gatewayWorkspaceIndex - 1].trim(), "# @sensitive=false @type=string");
+
+  const slackWorkspaceIndex = lines.findIndex((line) => line.startsWith("SLACK_BROKER_WORKSPACE_ID="));
+  assert.notEqual(slackWorkspaceIndex, -1, "SLACK_BROKER_WORKSPACE_ID missing from .env.schema");
+  assert.equal(lines[slackWorkspaceIndex - 1].trim(), "# @sensitive=false @type=string");
+});
+
 test("runRegistration does not write SLACK_BOT_TOKEN even when broker returns encrypted_bot_token", async () => {
   const fetchImpl = async (url) => {
     if (String(url).endsWith("/api/broker-pubkey")) {