diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index 9a44699ae..5edc9e45a 100755
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -8,6 +8,7 @@
 ### Bug Fixes
 * Fixed non-JSON error responses (e.g. plain-text "Invalid Token" with HTTP 403) producing `Unknown` instead of the correct typed exception (`PermissionDenied`, `Unauthenticated`, etc.). The error message no longer contains Jackson deserialization internals.
 * Added `X-Databricks-Org-Id` header to deprecated workspace SCIM APIs (Groups, ServicePrincipals, Users) for SPOG host compatibility.
+* Added `X-Databricks-Org-Id` header to hand-written `Shares.list()` extension for SPOG host compatibility.
 * Fixed Databricks CLI authentication to detect when the cached token's scopes don't match the SDK's configured scopes. Previously, a scope mismatch was silently ignored, causing requests to use wrong permissions. The SDK now raises an error with instructions to re-authenticate.
 
 ### Security Vulnerabilities
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/service/sharing/SharesExtImpl.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/service/sharing/SharesExtImpl.java
index a1ab2be87..386f883e9 100644
--- a/databricks-sdk-java/src/main/java/com/databricks/sdk/service/sharing/SharesExtImpl.java
+++ b/databricks-sdk-java/src/main/java/com/databricks/sdk/service/sharing/SharesExtImpl.java
@@ -19,6 +19,9 @@ public ListSharesResponse list(ListSharesRequest request) {
       Request req = new Request("GET", path);
       ApiClient.setQuery(req, request);
       req.withHeader("Accept", "application/json");
+      if (apiClient.workspaceId() != null) {
+        req.withHeader("X-Databricks-Org-Id", apiClient.workspaceId());
+      }
       return apiClient.execute(req, ListSharesResponse.class);
     } catch (IOException e) {
       throw new DatabricksException("IO error: " + e.getMessage(), e);