diff --git a/README.md b/README.md
index 8373110..3213bce 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,12 @@ tcld apikey create --name <api-key-name> --description <api-key-description> --d
 ```
 tcld apikey list
 ```
+
+### List API Keys for a specific account (ServiceAccount or User):
+```
+tcld apikey list --owner-id <account-id>
+```
+
 ### Delete an API Key:
 ```
 tcld apikey delete --id <api-key-id>
@@ -75,6 +81,8 @@ tcld apikey enable --id <api-key-id>
 ```
 
 ### Performing an API Key rotation:
+
+#### Current User Specific Rotation
 1. Generate the new API key to rotate to.
 ```
 tcld apikey create --name <api-key-name> --description <api-key-description> --duration <api-key-duration>
@@ -85,6 +93,17 @@ tcld apikey create --name <api-key-name> --description <api-key-description> --d
 tcld apikey delete --id <api-key-id>
 ```
 
+#### Service Account Specific Rotation
+1. Generate the new API key to rotate to.
+```
+tcld apikey create --name <api-key-name> --description <api-key-description> --duration <api-key-duration> --service-account-id <service-account-id>
+```
+2. Update temporal clients to use the new API key and monitor deployments to make sure all old API key usage is gone.
+3. Delete the old API key.
+```
+tcld apikey delete --id <api-key-id>
+```
+
 # Namespace Management
 
 ### List namespaces user has access to:
diff --git a/app/apikey.go b/app/apikey.go
index 1511343..b2ca2dc 100644
--- a/app/apikey.go
+++ b/app/apikey.go
@@ -12,6 +12,10 @@ import (
 	"github.com/urfave/cli/v2"
 )
 
+const (
+	ownerIDFlagName = "owner-id"
+)
+
 type (
 	APIKeyClient struct {
 		client authservice.AuthServiceClient
@@ -85,12 +89,13 @@ func (s *APIKeyClient) createServiceAccountAPIKey(
 	return PrintProto(resp)
 }
 
-func (s *APIKeyClient) listAPIKey() error {
+func (s *APIKeyClient) listAPIKey(ownerId string) error {
 
 	totalRes := &authservice.GetAPIKeysResponse{}
 	pageToken := ""
 	for {
 		resp, err := s.client.GetAPIKeys(s.ctx, &authservice.GetAPIKeysRequest{
+			OwnerId:   ownerId,
 			PageToken: pageToken,
 		})
 		if err != nil {
@@ -258,9 +263,17 @@ func NewAPIKeyCommand(getAPIKeyClientFn GetAPIKeyClientFn) (CommandOut, error) {
 					Name:    "list",
 					Usage:   "List apikeys",
 					Aliases: []string{"l"},
-					Flags:   []cli.Flag{},
+					Flags: []cli.Flag{
+						&cli.StringFlag{
+							Name:    ownerIDFlagName,
+							Usage:   "The owner id of the API Keys to list",
+							Aliases: []string{"o"},
+						},
+					},
 					Action: func(ctx *cli.Context) error {
-						return c.listAPIKey()
+						return c.listAPIKey(
+							ctx.String(ownerIDFlagName),
+						)
 					},
 				},
 				{
diff --git a/app/apikey_test.go b/app/apikey_test.go
index f24e17e..299651e 100644
--- a/app/apikey_test.go
+++ b/app/apikey_test.go
@@ -89,6 +89,17 @@ func (s *APIKeyTestSuite) TestList() {
 	s.NoError(s.RunCmd("apikey", "list"))
 }
 
+func (s *APIKeyTestSuite) TestOwnerIdList() {
+	s.mockAuthService.EXPECT().GetAPIKeys(gomock.Any(), gomock.Any()).Return(&authservice.GetAPIKeysResponse{
+		ApiKeys: []*auth.APIKey{
+			{
+				Id: "test-apikey-id-1",
+			},
+		},
+	}, nil).Times(1)
+	s.NoError(s.RunCmd("apikey", "list", "--owner-id", "ownerID"))
+}
+
 func (s *APIKeyTestSuite) TestCreate() {
 	s.Error(s.RunCmd("apikey", "create"))
 	s.Error(s.RunCmd("apikey", "create", "--name", "test1"))