diff --git a/docs/resources/tailnet_key.md b/docs/resources/tailnet_key.md
index 17b9e37..5d894db 100644
--- a/docs/resources/tailnet_key.md
+++ b/docs/resources/tailnet_key.md
@@ -34,6 +34,7 @@ resource "tailscale_tailnet_key" "sample_key" {
 - `recreate_if_invalid` (String) Determines whether the key should be created again if it becomes invalid. By default, reusable keys will be recreated, but single-use keys will not. Possible values: 'always', 'never'.
 - `reusable` (Boolean) Indicates if the key is reusable or single-use. Defaults to `false`.
 - `tags` (Set of String) List of tags to apply to the machines authenticated by the key.
+- `user_id` (String) ID of the user who created this key, empty for keys created by OAuth clients.
 
 ### Read-Only
 
diff --git a/tailscale/resource_tailnet_key.go b/tailscale/resource_tailnet_key.go
index 75832a7..0d31933 100644
--- a/tailscale/resource_tailnet_key.go
+++ b/tailscale/resource_tailnet_key.go
@@ -102,6 +102,12 @@ func resourceTailnetKey() *schema.Resource {
 					}
 				},
 			},
+			"user_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "ID of the user who created this key, empty for keys created by OAuth clients.",
+				Computed:    true,
+			},
 		},
 	}
 }
@@ -257,5 +263,9 @@ func resourceTailnetKeyRead(ctx context.Context, d *schema.ResourceData, m inter
 		return diagnosticsError(err, "Failed to set 'invalid'")
 	}
 
+	if err = d.Set("user_id", key.UserID); err != nil {
+		return diagnosticsError(err, "Failed to set 'user_id'")
+	}
+
 	return nil
 }
diff --git a/tailscale/resource_tailnet_key_test.go b/tailscale/resource_tailnet_key_test.go
index 60104c5..c5e8e83 100644
--- a/tailscale/resource_tailnet_key_test.go
+++ b/tailscale/resource_tailnet_key_test.go
@@ -213,6 +213,9 @@ func TestAccTailscaleTailnetKey(t *testing.T) {
 			// don't compare IDs
 			actual.ID = ""
 
+			// don't compare user IDs
+			actual.UserID = ""
+
 			if err := assertEqual(expected, actual, "wrong key"); err != nil {
 				return err
 			}