diff --git a/src/go/k8s/api/cluster.redpanda.com/v1alpha1/zz_generated.deepcopy.go b/src/go/k8s/api/cluster.redpanda.com/v1alpha1/zz_generated.deepcopy.go
index ce021f2d3..11984be29 100644
--- a/src/go/k8s/api/cluster.redpanda.com/v1alpha1/zz_generated.deepcopy.go
+++ b/src/go/k8s/api/cluster.redpanda.com/v1alpha1/zz_generated.deepcopy.go
@@ -14,7 +14,7 @@
 package v1alpha1
 
 import (
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
diff --git a/src/go/k8s/api/vectorized/v1alpha1/console_enterprise_types.go b/src/go/k8s/api/vectorized/v1alpha1/console_enterprise_types.go
index 6ea4a0f7a..c616666e5 100644
--- a/src/go/k8s/api/vectorized/v1alpha1/console_enterprise_types.go
+++ b/src/go/k8s/api/vectorized/v1alpha1/console_enterprise_types.go
@@ -45,6 +45,11 @@ type EnterpriseLoginRedpandaCloud struct {
 
 	// AllowedOrigins indicates if response is allowed from given origin
 	AllowedOrigins []string `json:"allowedOrigins,omitempty" yaml:"allowedOrigins,omitempty"`
+
+	// OrgID refers to the Redpanda Cloud organization id that Console is running in.
+	// If the OrgID is set, Console will ensure that incoming requests will only pass
+	// if the provided access token matches this org id in the custom claims.
+	OrgID string `json:"orgId,omitempty" yaml:"orgId,omitempty"`
 }
 
 // IsGoogleLoginEnabled returns true if Google SSO provider is enabled
diff --git a/src/go/k8s/config/crd/bases/redpanda.vectorized.io_consoles.yaml b/src/go/k8s/config/crd/bases/redpanda.vectorized.io_consoles.yaml
index e35c78239..d731cb18f 100644
--- a/src/go/k8s/config/crd/bases/redpanda.vectorized.io_consoles.yaml
+++ b/src/go/k8s/config/crd/bases/redpanda.vectorized.io_consoles.yaml
@@ -479,6 +479,13 @@ spec:
                         type: string
                       enabled:
                         type: boolean
+                      orgId:
+                        description: OrgID refers to the Redpanda Cloud organization
+                          id that Console is running in. If the OrgID is set, Console
+                          will ensure that incoming requests will only pass if the
+                          provided access token matches this org id in the custom
+                          claims.
+                        type: string
                     required:
                     - audience
                     - domain
diff --git a/src/go/k8s/pkg/console/configmap.go b/src/go/k8s/pkg/console/configmap.go
index 9655917d2..612afc1b6 100644
--- a/src/go/k8s/pkg/console/configmap.go
+++ b/src/go/k8s/pkg/console/configmap.go
@@ -304,6 +304,7 @@ func (cm *ConfigMap) genLogin(
 		switch {
 		case provider.RedpandaCloud != nil:
 			enterpriseLogin.RedpandaCloud = &vectorizedv1alpha1.EnterpriseLoginRedpandaCloud{
+				OrgID:          provider.RedpandaCloud.OrgID,
 				Enabled:        provider.RedpandaCloud.Enabled,
 				Domain:         provider.RedpandaCloud.Domain,
 				Audience:       provider.RedpandaCloud.Audience,