diff --git a/google/google.go b/google/google.go
index 6eb2aa9..81de32b 100644
--- a/google/google.go
+++ b/google/google.go
@@ -194,9 +194,16 @@ func (cs computeSource) Token() (*oauth2.Token, error) {
 	if res.ExpiresInSec == 0 || res.AccessToken == "" {
 		return nil, fmt.Errorf("oauth2/google: incomplete token received from metadata")
 	}
-	return &oauth2.Token{
+	tok := &oauth2.Token{
 		AccessToken: res.AccessToken,
 		TokenType:   res.TokenType,
 		Expiry:      time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second),
-	}, nil
+	}
+	// NOTE(cbro): add hidden metadata about where the token is from.
+	// This is needed for detection by client libraries to know that credentials come from the metadata server.
+	// This may be removed in a future version of this library.
+	return tok.WithExtra(map[string]interface{}{
+		"oauth2.google.tokenSource":    "compute-metadata",
+		"oauth2.google.serviceAccount": acct,
+	}), nil
 }