diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index 00152d550e..f8dbd68987 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### CLI
 
+* `databricks api` now works against unified hosts. Adds `--account` to scope a call to the account API, `--workspace-id` to override the workspace routing identifier per call, and `{account_id}` substitution from the active profile's `account_id`.
+
 ### Bundles
 
 ### Dependency updates
diff --git a/acceptance/cmd/api/account-flag/out.requests.txt b/acceptance/cmd/api/account-flag/out.requests.txt
new file mode 100644
index 0000000000..0dd6d7022f
--- /dev/null
+++ b/acceptance/cmd/api/account-flag/out.requests.txt
@@ -0,0 +1,21 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
+{
+  "headers": {
+    "Authorization": [
+      "Bearer [DATABRICKS_TOKEN]"
+    ],
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat"
+    ]
+  },
+  "method": "GET",
+  "path": "/api/2.0/clusters/list"
+}
diff --git a/acceptance/cmd/api/account-flag/out.test.toml b/acceptance/cmd/api/account-flag/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/account-flag/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/account-flag/output.txt b/acceptance/cmd/api/account-flag/output.txt
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/acceptance/cmd/api/account-flag/output.txt
@@ -0,0 +1 @@
+{}
diff --git a/acceptance/cmd/api/account-flag/script b/acceptance/cmd/api/account-flag/script
new file mode 100644
index 0000000000..ed4dd74b0c
--- /dev/null
+++ b/acceptance/cmd/api/account-flag/script
@@ -0,0 +1 @@
+$CLI api get /api/2.0/clusters/list --account
diff --git a/acceptance/cmd/api/account-id-missing/out.requests.txt b/acceptance/cmd/api/account-id-missing/out.requests.txt
new file mode 100644
index 0000000000..64b313d01e
--- /dev/null
+++ b/acceptance/cmd/api/account-id-missing/out.requests.txt
@@ -0,0 +1,9 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
diff --git a/acceptance/cmd/api/account-id-missing/out.test.toml b/acceptance/cmd/api/account-id-missing/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/account-id-missing/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/account-id-missing/output.txt b/acceptance/cmd/api/account-id-missing/output.txt
new file mode 100644
index 0000000000..44af079ab0
--- /dev/null
+++ b/acceptance/cmd/api/account-id-missing/output.txt
@@ -0,0 +1,5 @@
+
+>>> errcode [CLI] api get /api/2.0/accounts/{account_id}/oauth2/published-app-integrations
+Error: path contains {account_id} but no account_id is set on profile "" (set account_id in ~/.databrickscfg, export DATABRICKS_ACCOUNT_ID, or replace {account_id} in the path)
+
+Exit code: 1
diff --git a/acceptance/cmd/api/account-id-missing/script b/acceptance/cmd/api/account-id-missing/script
new file mode 100644
index 0000000000..eba2e79868
--- /dev/null
+++ b/acceptance/cmd/api/account-id-missing/script
@@ -0,0 +1,5 @@
+# No DATABRICKS_ACCOUNT_ID; the testserver also doesn't set account_id in
+# .well-known. The CLI must fail with the actionable error before any target
+# API request is sent. (Config resolution still hits .well-known earlier in
+# the lifecycle, which is expected.)
+trace errcode $CLI api get '/api/2.0/accounts/{account_id}/oauth2/published-app-integrations'
diff --git a/acceptance/cmd/api/account-id-substitution/out.requests.txt b/acceptance/cmd/api/account-id-substitution/out.requests.txt
new file mode 100644
index 0000000000..0d779ee1b5
--- /dev/null
+++ b/acceptance/cmd/api/account-id-substitution/out.requests.txt
@@ -0,0 +1,21 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
+{
+  "headers": {
+    "Authorization": [
+      "Bearer [DATABRICKS_TOKEN]"
+    ],
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat"
+    ]
+  },
+  "method": "GET",
+  "path": "/api/2.0/accounts/abc-123/oauth2/published-app-integrations"
+}
diff --git a/acceptance/cmd/api/account-id-substitution/out.test.toml b/acceptance/cmd/api/account-id-substitution/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/account-id-substitution/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/account-id-substitution/output.txt b/acceptance/cmd/api/account-id-substitution/output.txt
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/acceptance/cmd/api/account-id-substitution/output.txt
@@ -0,0 +1 @@
+{}
diff --git a/acceptance/cmd/api/account-id-substitution/script b/acceptance/cmd/api/account-id-substitution/script
new file mode 100644
index 0000000000..8e509e7408
--- /dev/null
+++ b/acceptance/cmd/api/account-id-substitution/script
@@ -0,0 +1,2 @@
+export DATABRICKS_ACCOUNT_ID=abc-123
+$CLI api get '/api/2.0/accounts/{account_id}/oauth2/published-app-integrations'
diff --git a/acceptance/cmd/api/account-path/out.requests.txt b/acceptance/cmd/api/account-path/out.requests.txt
new file mode 100644
index 0000000000..d143b64be9
--- /dev/null
+++ b/acceptance/cmd/api/account-path/out.requests.txt
@@ -0,0 +1,21 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
+{
+  "headers": {
+    "Authorization": [
+      "Bearer [DATABRICKS_TOKEN]"
+    ],
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat"
+    ]
+  },
+  "method": "GET",
+  "path": "/api/2.0/accounts/abc-123/network-policies"
+}
diff --git a/acceptance/cmd/api/account-path/out.test.toml b/acceptance/cmd/api/account-path/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/account-path/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/account-path/output.txt b/acceptance/cmd/api/account-path/output.txt
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/acceptance/cmd/api/account-path/output.txt
@@ -0,0 +1 @@
+{}
diff --git a/acceptance/cmd/api/account-path/script b/acceptance/cmd/api/account-path/script
new file mode 100644
index 0000000000..67e46484e4
--- /dev/null
+++ b/acceptance/cmd/api/account-path/script
@@ -0,0 +1 @@
+$CLI api get /api/2.0/accounts/abc-123/network-policies
diff --git a/acceptance/cmd/api/test.toml b/acceptance/cmd/api/test.toml
new file mode 100644
index 0000000000..69e31b128f
--- /dev/null
+++ b/acceptance/cmd/api/test.toml
@@ -0,0 +1,22 @@
+RecordRequests = true
+IncludeRequestHeaders = ["Authorization", "User-Agent", "X-Databricks-Org-Id"]
+
+# Common stubs for paths used across variants. Each returns an empty JSON
+# object; the variants assert on the *recorded request* (out.requests.txt),
+# not on the response body, so any well-formed JSON is fine.
+
+[[Server]]
+Pattern = "GET /api/2.0/clusters/list"
+Response.Body = '{}'
+
+[[Server]]
+Pattern = "GET /api/2.0/accounts/abc-123/network-policies"
+Response.Body = '{}'
+
+[[Server]]
+Pattern = "GET /api/2.0/accounts/abc-123/oauth2/published-app-integrations"
+Response.Body = '{}'
+
+[[Server]]
+Pattern = "GET /api/2.0/preview/accounts/access-control/rule-sets"
+Response.Body = '{}'
diff --git a/acceptance/cmd/api/workspace-id-flag/out.requests.txt b/acceptance/cmd/api/workspace-id-flag/out.requests.txt
new file mode 100644
index 0000000000..7036250369
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-flag/out.requests.txt
@@ -0,0 +1,24 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
+{
+  "headers": {
+    "Authorization": [
+      "Bearer [DATABRICKS_TOKEN]"
+    ],
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat"
+    ],
+    "X-Databricks-Org-Id": [
+      "999"
+    ]
+  },
+  "method": "GET",
+  "path": "/api/2.0/clusters/list"
+}
diff --git a/acceptance/cmd/api/workspace-id-flag/out.test.toml b/acceptance/cmd/api/workspace-id-flag/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-flag/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/workspace-id-flag/output.txt b/acceptance/cmd/api/workspace-id-flag/output.txt
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-flag/output.txt
@@ -0,0 +1 @@
+{}
diff --git a/acceptance/cmd/api/workspace-id-flag/script b/acceptance/cmd/api/workspace-id-flag/script
new file mode 100644
index 0000000000..741c4048c8
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-flag/script
@@ -0,0 +1 @@
+$CLI api get /api/2.0/clusters/list --workspace-id 999
diff --git a/acceptance/cmd/api/workspace-id-none/out.requests.txt b/acceptance/cmd/api/workspace-id-none/out.requests.txt
new file mode 100644
index 0000000000..0dd6d7022f
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-none/out.requests.txt
@@ -0,0 +1,21 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
+{
+  "headers": {
+    "Authorization": [
+      "Bearer [DATABRICKS_TOKEN]"
+    ],
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat"
+    ]
+  },
+  "method": "GET",
+  "path": "/api/2.0/clusters/list"
+}
diff --git a/acceptance/cmd/api/workspace-id-none/out.test.toml b/acceptance/cmd/api/workspace-id-none/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-none/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/workspace-id-none/output.txt b/acceptance/cmd/api/workspace-id-none/output.txt
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-none/output.txt
@@ -0,0 +1 @@
+{}
diff --git a/acceptance/cmd/api/workspace-id-none/script b/acceptance/cmd/api/workspace-id-none/script
new file mode 100644
index 0000000000..692f06ba97
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-none/script
@@ -0,0 +1,12 @@
+# Profile with workspace_id = none overrides the host-metadata back-fill.
+# The CLI must strip the sentinel before the header decision; the recorded
+# request should not carry the routing identifier.
+sethome "./home"
+cat > "./home/.databrickscfg" <<EOF
+[spog-account]
+host         = $DATABRICKS_HOST
+token        = $DATABRICKS_TOKEN
+workspace_id = none
+EOF
+
+$CLI api get /api/2.0/clusters/list --profile spog-account
diff --git a/acceptance/cmd/api/workspace-id-none/test.toml b/acceptance/cmd/api/workspace-id-none/test.toml
new file mode 100644
index 0000000000..36c0e7e237
--- /dev/null
+++ b/acceptance/cmd/api/workspace-id-none/test.toml
@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]
diff --git a/acceptance/cmd/api/workspace-path/out.requests.txt b/acceptance/cmd/api/workspace-path/out.requests.txt
new file mode 100644
index 0000000000..79c097b67b
--- /dev/null
+++ b/acceptance/cmd/api/workspace-path/out.requests.txt
@@ -0,0 +1,24 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
+{
+  "headers": {
+    "Authorization": [
+      "Bearer [DATABRICKS_TOKEN]"
+    ],
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat"
+    ],
+    "X-Databricks-Org-Id": [
+      "[NUMID]"
+    ]
+  },
+  "method": "GET",
+  "path": "/api/2.0/clusters/list"
+}
diff --git a/acceptance/cmd/api/workspace-path/out.test.toml b/acceptance/cmd/api/workspace-path/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/workspace-path/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/workspace-path/output.txt b/acceptance/cmd/api/workspace-path/output.txt
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/acceptance/cmd/api/workspace-path/output.txt
@@ -0,0 +1 @@
+{}
diff --git a/acceptance/cmd/api/workspace-path/script b/acceptance/cmd/api/workspace-path/script
new file mode 100644
index 0000000000..5edd0d6e6f
--- /dev/null
+++ b/acceptance/cmd/api/workspace-path/script
@@ -0,0 +1 @@
+$CLI api get /api/2.0/clusters/list
diff --git a/acceptance/cmd/api/workspace-proxy-regression/out.requests.txt b/acceptance/cmd/api/workspace-proxy-regression/out.requests.txt
new file mode 100644
index 0000000000..736d060495
--- /dev/null
+++ b/acceptance/cmd/api/workspace-proxy-regression/out.requests.txt
@@ -0,0 +1,24 @@
+{
+  "headers": {
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin"
+    ]
+  },
+  "method": "GET",
+  "path": "/.well-known/databricks-config"
+}
+{
+  "headers": {
+    "Authorization": [
+      "Bearer [DATABRICKS_TOKEN]"
+    ],
+    "User-Agent": [
+      "cli/[DEV_VERSION] databricks-sdk-go/[SDK_VERSION] go/[GO_VERSION] os/darwin cmd/api_get cmd-exec-id/[UUID] interactive/none auth/pat"
+    ],
+    "X-Databricks-Org-Id": [
+      "[NUMID]"
+    ]
+  },
+  "method": "GET",
+  "path": "/api/2.0/preview/accounts/access-control/rule-sets"
+}
diff --git a/acceptance/cmd/api/workspace-proxy-regression/out.test.toml b/acceptance/cmd/api/workspace-proxy-regression/out.test.toml
new file mode 100644
index 0000000000..d560f1de04
--- /dev/null
+++ b/acceptance/cmd/api/workspace-proxy-regression/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/api/workspace-proxy-regression/output.txt b/acceptance/cmd/api/workspace-proxy-regression/output.txt
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/acceptance/cmd/api/workspace-proxy-regression/output.txt
@@ -0,0 +1 @@
+{}
diff --git a/acceptance/cmd/api/workspace-proxy-regression/script b/acceptance/cmd/api/workspace-proxy-regression/script
new file mode 100644
index 0000000000..686c15b59b
--- /dev/null
+++ b/acceptance/cmd/api/workspace-proxy-regression/script
@@ -0,0 +1,4 @@
+# Workspace-routed proxy under accounts/. The deny-list must keep this from
+# being misclassified as account-scope, so the routing identifier should be
+# present on the recorded request.
+$CLI api get /api/2.0/preview/accounts/access-control/rule-sets
diff --git a/cmd/api/api.go b/cmd/api/api.go
index 057c8f2246..2a3cfb7bfe 100644
--- a/cmd/api/api.go
+++ b/cmd/api/api.go
@@ -1,11 +1,15 @@
 package api
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"regexp"
 	"strings"
 
 	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/flags"
 	"github.com/databricks/databricks-sdk-go/client"
@@ -13,6 +17,21 @@ import (
 	"github.com/spf13/cobra"
 )
 
+const (
+	// orgIDHeader is the workspace routing identifier sent on workspace-scope
+	// requests against unified hosts. Generated SDK service methods set this
+	// per-call when cfg.WorkspaceID is populated; we mirror the same idiom.
+	orgIDHeader = "X-Databricks-Org-Id"
+
+	accountIDPlaceholder = "{account_id}"
+)
+
+// accountSegmentRe matches a non-empty segment immediately after "accounts/",
+// anchored at the start of the path or after a "/". Account-ID shape is
+// deliberately opaque; the workspace-proxy lists in paths_generated.go carve
+// out the SDK proxies that also live under /accounts/.
+var accountSegmentRe = regexp.MustCompile(`(^|/)accounts/[^/]+`)
+
 func New() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "api",
@@ -32,7 +51,11 @@ func New() *cobra.Command {
 }
 
 func makeCommand(method string) *cobra.Command {
-	var payload flags.JsonFlag
+	var (
+		payload         flags.JsonFlag
+		forceAccount    bool
+		workspaceIDFlag string
+	)
 
 	command := &cobra.Command{
 		Use:   strings.ToLower(method) + " PATH",
@@ -60,8 +83,28 @@ func makeCommand(method string) *cobra.Command {
 				return err
 			}
 
-			var response any
+			path, err = substituteAccountID(path, cfg.AccountID, cfg.Profile)
+			if err != nil {
+				return err
+			}
+
+			orgID, err := resolveOrgID(
+				forceAccount,
+				workspaceIDFlag,
+				cmd.Flags().Changed("workspace-id"),
+				normalizeWorkspaceID(cfg.WorkspaceID),
+				path,
+			)
+			if err != nil {
+				return err
+			}
+
 			headers := map[string]string{"Content-Type": "application/json"}
+			if orgID != "" {
+				headers[orgIDHeader] = orgID
+			}
+
+			var response any
 			err = api.Do(cmd.Context(), method, path, headers, nil, request, &response)
 			if err != nil {
 				return err
@@ -71,5 +114,92 @@ func makeCommand(method string) *cobra.Command {
 	}
 
 	command.Flags().Var(&payload, "json", `either inline JSON string or @path/to/file.json with request body`)
+	command.Flags().BoolVar(&forceAccount, "account", false,
+		"Treat this call as account-scoped (skip the workspace routing identifier). Mutually exclusive with --workspace-id.")
+	command.Flags().StringVar(&workspaceIDFlag, "workspace-id", "",
+		"Override the workspace routing identifier on this call. Mutually exclusive with --account.")
 	return command
 }
+
+// normalizeWorkspaceID strips the CLI-only WorkspaceIDNone sentinel so the
+// SDK's idiomatic "if cfg.WorkspaceID != \"\"" check produces the right call
+// shape. The CLI persists "none" in .databrickscfg to mark profiles where the
+// user explicitly skipped workspace selection; the SDK does not know about
+// this sentinel and would otherwise send the literal "none" as a routing
+// identifier.
+func normalizeWorkspaceID(workspaceID string) string {
+	if workspaceID == auth.WorkspaceIDNone {
+		return ""
+	}
+	return workspaceID
+}
+
+// substituteAccountID replaces "{account_id}" placeholders in path with the
+// resolved account ID. Errors with an actionable message if the placeholder
+// is present but no account_id is configured for the active profile.
+func substituteAccountID(path, accountID, profile string) (string, error) {
+	if !strings.Contains(path, accountIDPlaceholder) {
+		return path, nil
+	}
+	if accountID == "" {
+		return "", fmt.Errorf(
+			"path contains %s but no account_id is set on profile %q "+
+				"(set account_id in ~/.databrickscfg, export DATABRICKS_ACCOUNT_ID, "+
+				"or replace %s in the path)",
+			accountIDPlaceholder, profile, accountIDPlaceholder)
+	}
+	return strings.ReplaceAll(path, accountIDPlaceholder, accountID), nil
+}
+
+// hasAccountSegment reports whether path is an account-scope API. The match
+// runs on URL.Path, so query strings and fragments containing "/accounts/"
+// can't trigger a false positive. Returns false for paths that match a known
+// workspace-routed proxy from the generated tables.
+func hasAccountSegment(rawPath string) (bool, error) {
+	u, err := url.Parse(rawPath)
+	if err != nil {
+		return false, fmt.Errorf("parse path: %w", err)
+	}
+	p := u.Path
+	if _, ok := workspaceProxyExact[p]; ok {
+		return false, nil
+	}
+	for _, prefix := range workspaceProxyPrefixes {
+		if strings.HasPrefix(p, prefix) {
+			return false, nil
+		}
+	}
+	return accountSegmentRe.MatchString(p), nil
+}
+
+// resolveOrgID picks the value (if any) for the workspace routing identifier
+// based on flags, the resolved profile, and the path shape. Returns "" when
+// no header should be sent.
+func resolveOrgID(
+	forceAccount bool,
+	workspaceIDFlag string,
+	workspaceIDFlagSet bool,
+	cfgWorkspaceID string,
+	path string,
+) (string, error) {
+	if forceAccount && workspaceIDFlagSet {
+		return "", errors.New("--account and --workspace-id are mutually exclusive")
+	}
+	if forceAccount {
+		return "", nil
+	}
+	if workspaceIDFlagSet {
+		if workspaceIDFlag == "" {
+			return "", errors.New("--workspace-id requires a value; use --account to scope this call to the account API")
+		}
+		return workspaceIDFlag, nil
+	}
+	isAccount, err := hasAccountSegment(path)
+	if err != nil {
+		return "", err
+	}
+	if isAccount {
+		return "", nil
+	}
+	return cfgWorkspaceID, nil
+}
diff --git a/cmd/api/api_test.go b/cmd/api/api_test.go
new file mode 100644
index 0000000000..04f33c0bf9
--- /dev/null
+++ b/cmd/api/api_test.go
@@ -0,0 +1,220 @@
+package api
+
+import (
+	"testing"
+
+	"github.com/databricks/cli/libs/auth"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHasAccountSegment(t *testing.T) {
+	cases := []struct {
+		name string
+		path string
+		want bool
+	}{
+		{"account UUID", "/api/2.0/accounts/123e4567-e89b-12d3-a456-426614174000/ip-access-lists", true},
+		{"AIP resource-name shape", "/api/networking/v1/accounts/123e4567-e89b-12d3-a456-426614174000/endpoints/abc", true},
+		{"iamv2 account API", "/api/2.0/identity/accounts/123e4567-e89b-12d3-a456-426614174000/workspaces/123/workspaceAccessDetails/abc", true},
+		{"non-UUID account ID", "/api/2.0/accounts/abc/foo", true},
+		{"hyphenated short ID", "/api/2.0/accounts/abc-123/network-policies", true},
+		{"substituted any-shape ID", "/api/2.0/accounts/some-account/oauth2/published-app-integrations", true},
+
+		{"deny-listed exact rule-sets", "/api/2.0/preview/accounts/access-control/rule-sets", false},
+		{"deny-listed exact assignable-roles", "/api/2.0/preview/accounts/access-control/assignable-roles", false},
+		{"exact-list miss falls to regex (rule-sets/foo)", "/api/2.0/preview/accounts/access-control/rule-sets/foo", true},
+		{"exact-list miss falls to regex (assignable-roles-extra)", "/api/2.0/preview/accounts/access-control/assignable-roles-extra", true},
+		{"deny-listed prefix servicePrincipals", "/api/2.0/accounts/servicePrincipals/abc-123/credentials/secrets", false},
+
+		{"no accounts segment", "/api/2.0/clusters/list", false},
+		{"segment ends in accounts (boundary)", "/api/2.0/some-accounts/abc/foo", false},
+
+		{"query string preserved on match", "/api/2.0/accounts/abc-123?include=foo", true},
+		{"query string with /accounts/ does not match", "/api/2.0/clusters/list?next=/accounts/foo", false},
+		{"fragment with accounts/ does not match", "/api/2.0/clusters/list#accounts/foo", false},
+
+		{"absolute URL, account path", "https://ignored.example.com/api/2.0/accounts/abc/foo?include=x", true},
+		{"absolute URL, query-string accounts/ does not match", "https://ignored.example.com/api/2.0/clusters/list?next=/accounts/foo", false},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			got, err := hasAccountSegment(c.path)
+			require.NoError(t, err)
+			assert.Equal(t, c.want, got)
+		})
+	}
+}
+
+func TestResolveOrgID(t *testing.T) {
+	const (
+		workspacePath = "/api/2.0/clusters/list"
+		accountPath   = "/api/2.0/accounts/abc-123/network-policies"
+		proxyPath     = "/api/2.0/preview/accounts/access-control/rule-sets"
+		resolvedWSID  = "900800700600"
+		flagWSID      = "999"
+	)
+
+	cases := []struct {
+		name             string
+		forceAccount     bool
+		workspaceIDFlag  string
+		flagSet          bool
+		cfgWorkspaceID   string
+		path             string
+		want             string
+		wantErrSubstring string
+	}{
+		{
+			name:           "empty WorkspaceID + workspace path -> no identifier",
+			cfgWorkspaceID: "",
+			path:           workspacePath,
+			want:           "",
+		},
+		{
+			name:           "WorkspaceID set + workspace path -> sends identifier",
+			cfgWorkspaceID: resolvedWSID,
+			path:           workspacePath,
+			want:           resolvedWSID,
+		},
+		{
+			name:           "WorkspaceID set + account path -> no identifier (auto-detect)",
+			cfgWorkspaceID: resolvedWSID,
+			path:           accountPath,
+			want:           "",
+		},
+		{
+			name:           "WorkspaceID set + workspace-routed proxy under accounts/",
+			cfgWorkspaceID: resolvedWSID,
+			path:           proxyPath,
+			want:           resolvedWSID,
+		},
+		{
+			name:           "--account on workspace path",
+			forceAccount:   true,
+			cfgWorkspaceID: resolvedWSID,
+			path:           workspacePath,
+			want:           "",
+		},
+		{
+			name:            "--workspace-id overrides resolved value",
+			workspaceIDFlag: flagWSID,
+			flagSet:         true,
+			cfgWorkspaceID:  resolvedWSID,
+			path:            workspacePath,
+			want:            flagWSID,
+		},
+		{
+			name:            "--workspace-id on account path still overrides",
+			workspaceIDFlag: flagWSID,
+			flagSet:         true,
+			cfgWorkspaceID:  resolvedWSID,
+			path:            accountPath,
+			want:            flagWSID,
+		},
+		{
+			name:             "--workspace-id empty value -> error",
+			workspaceIDFlag:  "",
+			flagSet:          true,
+			cfgWorkspaceID:   resolvedWSID,
+			path:             workspacePath,
+			wantErrSubstring: "--workspace-id requires a value",
+		},
+		{
+			name:             "--account and --workspace-id both set -> error",
+			forceAccount:     true,
+			workspaceIDFlag:  flagWSID,
+			flagSet:          true,
+			cfgWorkspaceID:   resolvedWSID,
+			path:             workspacePath,
+			wantErrSubstring: "mutually exclusive",
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			got, err := resolveOrgID(c.forceAccount, c.workspaceIDFlag, c.flagSet, c.cfgWorkspaceID, c.path)
+			if c.wantErrSubstring != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), c.wantErrSubstring)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, c.want, got)
+		})
+	}
+}
+
+// TestNormalizeWorkspaceID covers the helper that strips the CLI-only
+// WorkspaceIDNone sentinel. RunE calls this directly before resolveOrgID, so
+// a regression here would surface as the literal "none" being sent on the
+// wire.
+func TestNormalizeWorkspaceID(t *testing.T) {
+	cases := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{"sentinel stripped to empty", auth.WorkspaceIDNone, ""},
+		{"empty passes through", "", ""},
+		{"normal value passes through", "900800700600", "900800700600"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			assert.Equal(t, c.want, normalizeWorkspaceID(c.in))
+		})
+	}
+}
+
+func TestSubstituteAccountID(t *testing.T) {
+	cases := []struct {
+		name             string
+		path             string
+		accountID        string
+		profile          string
+		want             string
+		wantErrSubstring string
+	}{
+		{
+			name:      "placeholder absent leaves path unchanged",
+			path:      "/api/2.0/clusters/list",
+			accountID: "abc-123",
+			profile:   "DEFAULT",
+			want:      "/api/2.0/clusters/list",
+		},
+		{
+			name:      "placeholder present + account_id set",
+			path:      "/api/2.0/accounts/{account_id}/oauth2/published-app-integrations",
+			accountID: "abc-123",
+			profile:   "DEFAULT",
+			want:      "/api/2.0/accounts/abc-123/oauth2/published-app-integrations",
+		},
+		{
+			name:      "multiple placeholders all replaced",
+			path:      "/api/2.0/accounts/{account_id}/workspaces/123/foo?ref=accounts/{account_id}",
+			accountID: "abc-123",
+			profile:   "DEFAULT",
+			want:      "/api/2.0/accounts/abc-123/workspaces/123/foo?ref=accounts/abc-123",
+		},
+		{
+			name:             "placeholder present + account_id empty -> error",
+			path:             "/api/2.0/accounts/{account_id}/oauth2/published-app-integrations",
+			accountID:        "",
+			profile:          "DEFAULT",
+			wantErrSubstring: `{account_id}`,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			got, err := substituteAccountID(c.path, c.accountID, c.profile)
+			if c.wantErrSubstring != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), c.wantErrSubstring)
+				assert.Contains(t, err.Error(), `profile "`+c.profile+`"`)
+				assert.Contains(t, err.Error(), "DATABRICKS_ACCOUNT_ID")
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, c.want, got)
+		})
+	}
+}
diff --git a/cmd/api/internal/genpaths/classify.go b/cmd/api/internal/genpaths/classify.go
index 142ab5b63b..10cf30472b 100644
--- a/cmd/api/internal/genpaths/classify.go
+++ b/cmd/api/internal/genpaths/classify.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"go/ast"
 	"go/token"
+	"slices"
 	"strconv"
 	"strings"
 )
@@ -86,15 +87,13 @@ func classifySprintf(call *ast.CallExpr) (classification, error) {
 		return classification{class: classNotAccount}, nil
 	}
 
-	for _, a := range call.Args[1:] {
-		if isAccountIDSource(a) {
-			return classification{class: classAccountAPI}, nil
-		}
+	if slices.ContainsFunc(call.Args[1:], isAccountIDSource) {
+		return classification{class: classAccountAPI}, nil
 	}
 
 	prefix := prefixUpToFirstVerb(template)
 	if prefix == "" {
-		return classification{}, fmt.Errorf("Sprintf template %q has no format verb", template)
+		return classification{}, fmt.Errorf("fmt.Sprintf template %q has no format verb", template)
 	}
 	// Guard: a prefix ending exactly at "accounts/" would match every account
 	// API under that family if it leaked into the deny-list. Refuse to emit
diff --git a/cmd/api/internal/genpaths/main.go b/cmd/api/internal/genpaths/main.go
index 0e963076ae..5dd797d06a 100644
--- a/cmd/api/internal/genpaths/main.go
+++ b/cmd/api/internal/genpaths/main.go
@@ -18,7 +18,6 @@ import (
 	"go/format"
 	"go/parser"
 	"go/token"
-	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -31,7 +30,8 @@ const sdkModule = "github.com/databricks/databricks-sdk-go"
 
 func main() {
 	if err := run(os.Stdout); err != nil {
-		log.Fatalf("genpaths: %v", err)
+		fmt.Fprintf(os.Stderr, "genpaths: %v\n", err)
+		os.Exit(1)
 	}
 }
 
@@ -112,6 +112,8 @@ func scanAST(fset *token.FileSet, f *ast.File, prefixSet, exactSet map[string]st
 			exactSet[res.value] = struct{}{}
 		case classWorkspaceProxyPrefix:
 			prefixSet[res.value] = struct{}{}
+		case classNotAccount, classAccountAPI:
+			// nothing to record; not part of the deny-list
 		}
 		return true
 	}