diff --git a/app/api/streak/route.test.ts b/app/api/streak/route.test.ts
index bd6e1405..435af5b8 100644
--- a/app/api/streak/route.test.ts
+++ b/app/api/streak/route.test.ts
@@ -122,12 +122,21 @@ describe('GET /api/streak', () => {
 
       expect(response.status).toBe(400);
       const body = await response.json();
-      expect(response.status).toBe(400);
       expect(body.error).toBe('Invalid parameters');
       expect(body.details).not.toBeNull();
       expect(typeof body.details).toBe('object');
       expect(Array.isArray(body.details)).toBe(false);
     });
+    it('returns 400 when org parameter contains spaces and invalid characters', async () => {
+      const response = await GET(
+        makeRequest({ user: 'octocat', org: 'invalid_org_name_with_spaces' })
+      );
+
+      expect(response.status).toBe(400);
+      const body = await response.json();
+      expect(body.details.fieldErrors.org[0]).toBe('Invalid organization name format');
+      expect(getOrgDashboardData).not.toHaveBeenCalled();
+    });
 
     it('does not hit the GitHub API at all when user is missing', async () => {
       await GET(makeRequest());
diff --git a/lib/validations.test.ts b/lib/validations.test.ts
index 1aa1b4e9..00504f25 100644
--- a/lib/validations.test.ts
+++ b/lib/validations.test.ts
@@ -633,6 +633,21 @@ describe('streakParamsSchema — boolean transform fields', () => {
   });
 });
 
+describe('streakParamsSchema — org parameter validation', () => {
+  it('should reject org parameter with spaces and special characters', () => {
+    const result = streakParamsSchema.safeParse({
+      user: 'octocat',
+      org: 'invalid_org_name_with_spaces',
+    });
+
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      const fieldError = result.error.flatten().fieldErrors.org?.[0];
+      expect(fieldError).toBe('Invalid organization name format');
+    }
+  });
+});
+
 describe('ogParamsSchema', () => {
   it('should keep provided user value', () => {
     const result = ogParamsSchema.safeParse({