diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
index 5885d81de..ac0ef4f93 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
@@ -8,8 +8,10 @@ package org.whispersystems.textsecuregcm.controllers;
 import static com.codahale.metrics.MetricRegistry.name;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.net.HttpHeaders;
 import io.dropwizard.auth.Auth;
 import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import java.security.InvalidKeyException;
 import java.time.Clock;
@@ -23,6 +25,7 @@ import javax.annotation.Nonnull;
 import javax.ws.rs.BadRequestException;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
+import javax.ws.rs.HeaderParam;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
@@ -39,6 +42,7 @@ import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
 import org.whispersystems.textsecuregcm.entities.DeliveryCertificate;
 import org.whispersystems.textsecuregcm.entities.GroupCredentials;
 import org.whispersystems.textsecuregcm.identity.IdentityType;
+import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
 import org.whispersystems.websocket.auth.ReadOnly;
 
 @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
@@ -55,6 +59,8 @@ public class CertificateController {
   public static final Duration MAX_REDEMPTION_DURATION = Duration.ofDays(7);
   private static final String GENERATE_DELIVERY_CERTIFICATE_COUNTER_NAME = name(CertificateGenerator.class, "generateCertificate");
   private static final String INCLUDE_E164_TAG_NAME = "includeE164";
+  private static final String GET_GROUP_AUTHENTICATION_CREDENTIALS_COUNTER_NAME = name(CertificateController.class,
+      "getGroupAuthenticationCredentials");
 
   public CertificateController(
       @Nonnull CertificateGenerator certificateGenerator,
@@ -90,6 +96,7 @@ public class CertificateController {
   @Path("/auth/group")
   public GroupCredentials getGroupAuthenticationCredentials(
       @ReadOnly @Auth AuthenticatedDevice auth,
+      @HeaderParam(HttpHeaders.USER_AGENT) String userAgent,
       @QueryParam("redemptionStartSeconds") long startSeconds,
       @QueryParam("redemptionEndSeconds") long endSeconds,
       @QueryParam("zkcCredential") boolean zkcCredential) {
@@ -107,6 +114,11 @@ public class CertificateController {
       throw new BadRequestException();
     }
 
+    Metrics
+        .counter(GET_GROUP_AUTHENTICATION_CREDENTIALS_COUNTER_NAME,
+            Tags.of(UserAgentTagUtil.getPlatformTag(userAgent)).and("zkcCredential", String.valueOf(zkcCredential)))
+        .increment();
+
     final List<GroupCredentials.GroupCredential> credentials = new ArrayList<>();
     final List<GroupCredentials.CallLinkAuthCredential> callLinkAuthCredentials = new ArrayList<>();