diff --git a/docs/resources/tailnet_key.md b/docs/resources/tailnet_key.md
index 0e20c616..f0bba8b9 100644
--- a/docs/resources/tailnet_key.md
+++ b/docs/resources/tailnet_key.md
@@ -17,6 +17,7 @@ resource "tailscale_tailnet_key" "sample_key" {
   reusable      = true
   ephemeral     = false
   preauthorized = true
+  expiry        = 3600
 }
 ```
 
@@ -26,6 +27,7 @@ resource "tailscale_tailnet_key" "sample_key" {
 ### Optional
 
 - `ephemeral` (Boolean) Indicates if the key is ephemeral.
+- `expiry` (Number) The expiry of the key in seconds
 - `preauthorized` (Boolean) Determines whether or not the machines authenticated by the key will be authorized for the tailnet by default.
 - `reusable` (Boolean) Indicates if the key is reusable or single-use.
 - `tags` (Set of String) List of tags to apply to the machines authenticated by the key.
diff --git a/examples/resources/tailscale_tailnet_key/resource.tf b/examples/resources/tailscale_tailnet_key/resource.tf
index 5b5ba8fa..8d20667f 100644
--- a/examples/resources/tailscale_tailnet_key/resource.tf
+++ b/examples/resources/tailscale_tailnet_key/resource.tf
@@ -2,4 +2,5 @@ resource "tailscale_tailnet_key" "sample_key" {
   reusable      = true
   ephemeral     = false
   preauthorized = true
+  expiry        = 3600
 }
diff --git a/tailscale/resource_tailnet_key.go b/tailscale/resource_tailnet_key.go
index 28df41ad..fceaa8bb 100644
--- a/tailscale/resource_tailnet_key.go
+++ b/tailscale/resource_tailnet_key.go
@@ -49,6 +49,12 @@ func resourceTailnetKey() *schema.Resource {
 				Computed:    true,
 				Sensitive:   true,
 			},
+			"expiry": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Description: "The expiry of the key in seconds",
+				ForceNew:    true,
+			},
 		},
 	}
 }
@@ -58,6 +64,7 @@ func resourceTailnetKeyCreate(ctx context.Context, d *schema.ResourceData, m int
 	reusable := d.Get("reusable").(bool)
 	ephemeral := d.Get("ephemeral").(bool)
 	preauthorized := d.Get("preauthorized").(bool)
+	expiry := d.Get("expiry").(int)
 	var tags []string
 	for _, tag := range d.Get("tags").(*schema.Set).List() {
 		tags = append(tags, tag.(string))
@@ -68,6 +75,7 @@ func resourceTailnetKeyCreate(ctx context.Context, d *schema.ResourceData, m int
 	capabilities.Devices.Create.Ephemeral = ephemeral
 	capabilities.Devices.Create.Tags = tags
 	capabilities.Devices.Create.Preauthorized = preauthorized
+	capabilities.Devices.Create.Expiry = expiry
 
 	key, err := client.CreateKey(ctx, capabilities)
 	if err != nil {
diff --git a/tailscale/resource_tailnet_key_test.go b/tailscale/resource_tailnet_key_test.go
index 16da9dc8..6161fe82 100644
--- a/tailscale/resource_tailnet_key_test.go
+++ b/tailscale/resource_tailnet_key_test.go
@@ -15,6 +15,7 @@ const testTailnetKey = `
 		ephemeral = true
 		preauthorized = true
 		tags = ["tag:server"]
+		expiry = 3600
 	}
 `