feat: populate dbt_cloud_account_identifier in telemetry events (#701)

## Summary

Populate the `dbt_cloud_account_identifier` field in telemetry events,
which was previously hardcoded to an empty string.

## What Changed

- Added `account_identifier` field to `DbtMcpSettings`
- Added `get_account()` method to `DbtAdminAPIClient` (`GET
/api/v2/accounts/{account_id}/`)
- Resolve account identifier during credential setup:
- **OAuth path**: Extract from JWT claim
`https://dbt.com/account_identifier`, falling back to Admin API
  - **PAT path**: Fetch from Admin API
- Both paths degrade gracefully — if resolution fails, the field remains
empty
- Use the resolved value in the `VortexTelemetryDbtCloudContext`
telemetry event

## Why

We populate the `account_id` field rather than hardcoding an empty
string to conform to telemetry collector expectations.

## Related Issues

N/A

## Checklist
- [x] I have performed a self-review of my code
- [x] I have made corresponding changes to the documentation (in
https://github.com/dbt-labs/docs.getdbt.com) if required -- No
documentation changes needed; this is an internal telemetry change
- [x] I have added tests that prove my fix is effective or that my
feature works
- [x] New and existing unit tests pass locally with my changes

## Additional Notes

**Testing evidence:**
- `task test:unit`: 469 tests passed
- `ruff check`, `ruff format`, `mypy`: all clean

Tests added:
- `test_get_account` — verifies the new Admin API client method
- `test_emit_tool_called_event_account_identifier_none` — verifies empty
string fallback when identifier is unresolved
- `test_oauth_extracts_identifier_from_jwt_claims` — verifies JWT claim
extraction
- `test_oauth_falls_back_to_admin_api` — verifies API fallback when JWT
claim is absent
- `test_pat_fetches_identifier_from_admin_api` — verifies PAT path
resolution
- `test_api_failure_does_not_break_credentials` — verifies graceful
degradation

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Devon Fulcher <24593113+DevonFulcher@users.noreply.github.com>

Author: 3 people

.changes/unreleased/Enhancement or New Feature-20260402-120000.yaml

@@ -0,0 +1,3 @@
+kind: Enhancement or New Feature
+body: Populate dbt_cloud_account_identifier in telemetry events
+time: 2026-04-02T12:00:00.000000-07:00

src/dbt_mcp/config/config_providers/admin_api.py

@@ -1,8 +1,14 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
 from dbt_mcp.config.headers import AdminApiHeadersProvider
-from dbt_mcp.config.credentials import CredentialsProvider
 
 from .base import AdminApiConfig, ConfigProvider
 
+if TYPE_CHECKING:
+    from dbt_mcp.config.credentials import CredentialsProvider
+
 
 class DefaultAdminApiConfigProvider(ConfigProvider[AdminApiConfig]):
     def __init__(self, credentials_provider: CredentialsProvider):

src/dbt_mcp/config/credentials.py

@@ -6,8 +6,10 @@
 
 from filelock import FileLock
 
+from dbt_mcp.config.config_providers.admin_api import DefaultAdminApiConfigProvider
 from dbt_mcp.config.headers import TokenProvider
 from dbt_mcp.config.settings import DbtMcpSettings
+from dbt_mcp.dbt_admin.client import DbtAdminAPIClient
 from dbt_mcp.oauth.context_manager import DbtPlatformContextManager
 from dbt_mcp.oauth.dbt_platform import DbtPlatformContext
 from dbt_mcp.oauth.expiry import STARTUP_EXPIRY_BUFFER_SECONDS
@@ -177,6 +179,21 @@ def __init__(self, settings: "DbtMcpSettings") -> None:
         self.settings = settings
         self.token_provider: TokenProvider | None = None
         self.authentication_method: AuthenticationMethod | None = None
+        self.account_identifier: str | None = None
+
+    async def _resolve_account_identifier(self) -> None:
+        """Fetch and store the account identifier from the Admin API.
+
+        Fails silently — account_identifier remains None on error.
+        """
+        if not self.settings.dbt_account_id or not self.settings.actual_host:
+            return
+        try:
+            admin_client = DbtAdminAPIClient(DefaultAdminApiConfigProvider(self))
+            account_data = await admin_client.get_account(self.settings.dbt_account_id)
+            self.account_identifier = account_data.get("identifier")
+        except Exception as e:
+            logger.warning(f"Failed to fetch account identifier: {e}")
 
     def _log_settings(self) -> None:
         settings = self.settings.model_dump()
@@ -245,6 +262,7 @@ async def get_credentials(self) -> "tuple[DbtMcpSettings, TokenProvider]":
                 context_manager=dbt_platform_context_manager,
             )
             self.token_provider = token_provider
+            await self._resolve_account_identifier()
 
             # Only validate CLI settings here — platform settings were already
             # checked at the top of get_credentials() and the OAuth flow has
@@ -280,6 +298,7 @@ async def get_credentials(self) -> "tuple[DbtMcpSettings, TokenProvider]":
                 self.settings.host_prefix = fetched_prefix
                 self.settings.dbt_host = self.settings.base_host
                 logger.info(f"Fetched prefix {fetched_prefix} from dbt Platform.")
+        await self._resolve_account_identifier()
         validate_settings(self.settings)
         self.authentication_method = AuthenticationMethod.ENV_VAR
         self._log_settings()

src/dbt_mcp/dbt_admin/client.py

@@ -52,6 +52,14 @@ async def _make_request(
             logger.error(f"API request failed: {e}")
             raise AdminAPIError(f"API request failed: {e}")
 
+    async def get_account(self, account_id: int) -> dict[str, Any]:
+        """Get details for an account."""
+        result = await self._make_request(
+            "GET",
+            f"/api/v2/accounts/{account_id}/",
+        )
+        return result.get("data", {})
+
     @staticmethod
     def resolve_environments(
         environments: list[DbtPlatformEnvironmentResponse],

src/dbt_mcp/tracking/tracking.py

@@ -145,7 +145,8 @@ async def emit_tool_called_event(
                         session_id=str(self.session_id),
                         referrer_url="",
                         dbt_cloud_account_id=dbt_cloud_account_id,
-                        dbt_cloud_account_identifier="",
+                        dbt_cloud_account_identifier=self.credentials_provider.account_identifier
+                        or "",
                         dbt_cloud_project_id="",
                         dbt_cloud_environment_id="",
                         dbt_cloud_user_id=dbt_cloud_user_id,

tests/unit/dbt_admin/test_client.py

@@ -636,6 +636,28 @@ async def test_list_projects(client):
     )
 
 
+async def test_get_account(client):
+    mock_response = MagicMock()
+    mock_response.json.return_value = {
+        "data": {"id": 12345, "name": "Test Account", "identifier": "ab123"}
+    }
+    mock_response.raise_for_status.return_value = None
+
+    mock_client = create_mock_httpx_client(mock_response)
+
+    with patch("httpx.AsyncClient", return_value=mock_client):
+        result = await client.get_account(12345)
+
+    assert result == {"id": 12345, "name": "Test Account", "identifier": "ab123"}
+    headers = await client.get_headers()
+    mock_client.request.assert_called_once_with(
+        "GET",
+        "https://cloud.getdbt.com/api/v2/accounts/12345/",
+        headers=headers,
+        follow_redirects=True,
+    )
+
+
 async def test_list_projects_no_semantic_layer(client):
     mock_response = MagicMock()
     mock_response.json.return_value = {

tests/unit/oauth/test_credentials_provider.py

@@ -31,6 +31,7 @@ async def test_authentication_method_oauth(self):
         mock_dbt_context.prod_environment.id = 123
         mock_decoded_token = MagicMock()
         mock_decoded_token.access_token_response.access_token = "mock_token"
+        mock_decoded_token.decoded_claims = {}
         mock_dbt_context.decoded_access_token = mock_decoded_token
 
         with (
@@ -134,6 +135,7 @@ async def test_oauth_path_does_not_set_dbt_token(self):
         mock_dbt_context.prod_environment.id = 123
         mock_decoded_token = MagicMock()
         mock_decoded_token.access_token_response.access_token = "mock_oauth_token"
+        mock_decoded_token.decoded_claims = {}
         mock_dbt_context.decoded_access_token = mock_decoded_token
 
         with (
@@ -171,6 +173,7 @@ async def test_oauth_path_uses_factory_with_background_refresh(self):
         mock_dbt_context.prod_environment.id = 123
         mock_decoded_token = MagicMock()
         mock_decoded_token.access_token_response.access_token = "mock_token"
+        mock_decoded_token.decoded_claims = {}
         mock_dbt_context.decoded_access_token = mock_decoded_token
 
         with (
@@ -212,6 +215,7 @@ async def test_oauth_path_does_not_call_validate_settings(self):
         mock_dbt_context.prod_environment.id = 123
         mock_decoded_token = MagicMock()
         mock_decoded_token.access_token_response.access_token = "mock_token"
+        mock_decoded_token.decoded_claims = {}
         mock_dbt_context.decoded_access_token = mock_decoded_token
 
         with (
@@ -259,7 +263,9 @@ async def test_dbt_platform_url_always_includes_prefix_once(self, dbt_host: str)
         mock_dbt_context.user_id = 789
         mock_dbt_context.dev_environment = None
         mock_dbt_context.prod_environment.id = 123
-        mock_dbt_context.decoded_access_token = MagicMock()
+        mock_decoded_token = MagicMock()
+        mock_decoded_token.decoded_claims = {}
+        mock_dbt_context.decoded_access_token = mock_decoded_token
 
         captured_urls: list[str] = []
 
@@ -313,7 +319,9 @@ async def test_warning_logged_when_dbt_token_set_but_platform_settings_incomplet
         mock_dbt_context.user_id = 789
         mock_dbt_context.dev_environment = None
         mock_dbt_context.prod_environment.id = 123
-        mock_dbt_context.decoded_access_token = MagicMock()
+        mock_decoded_token = MagicMock()
+        mock_decoded_token.decoded_claims = {}
+        mock_dbt_context.decoded_access_token = mock_decoded_token
 
         with (
             patch(
@@ -336,3 +344,100 @@ async def test_warning_logged_when_dbt_token_set_but_platform_settings_incomplet
 
         assert "DBT_TOKEN is set but will be ignored" in caplog.text
         assert "Falling back to OAuth authentication" in caplog.text
+
+
+class TestCredentialsProviderAccountIdentifier:
+    """Test account_identifier population in both OAuth and PAT paths."""
+
+    @pytest.mark.asyncio
+    async def test_oauth_fetches_identifier_from_admin_api(self):
+        """OAuth path fetches account_identifier from Admin API."""
+        mock_settings = DbtMcpSettings.model_construct(
+            dbt_host="cloud.getdbt.com",
+            dbt_prod_env_id=123,
+            dbt_account_id=456,
+            dbt_token=None,
+        )
+
+        credentials_provider = CredentialsProvider(mock_settings)
+
+        mock_dbt_context = MagicMock()
+        mock_dbt_context.account_id = 456
+        mock_dbt_context.host_prefix = "ab123"
+        mock_dbt_context.user_id = 789
+        mock_dbt_context.dev_environment.id = 111
+        mock_dbt_context.prod_environment.id = 123
+        mock_decoded_token = MagicMock()
+        mock_decoded_token.access_token_response.access_token = "mock_token"
+        mock_decoded_token.decoded_claims = {}
+        mock_dbt_context.decoded_access_token = mock_decoded_token
+
+        with (
+            patch(
+                "dbt_mcp.config.credentials.get_dbt_platform_context",
+                return_value=mock_dbt_context,
+            ),
+            patch(
+                "dbt_mcp.config.credentials.OAuthTokenProvider"
+            ) as mock_token_provider,
+            patch("dbt_mcp.config.settings.validate_dbt_cli_settings", return_value=[]),
+            patch(
+                "dbt_mcp.dbt_admin.client.DbtAdminAPIClient.get_account",
+                new_callable=AsyncMock,
+                return_value={"id": 456, "identifier": "ab123"},
+            ),
+        ):
+            mock_token_provider.create = AsyncMock(return_value=MagicMock())
+
+            await credentials_provider.get_credentials()
+
+            assert credentials_provider.account_identifier == "ab123"
+
+    @pytest.mark.asyncio
+    async def test_pat_fetches_identifier_from_admin_api(self):
+        """PAT path fetches account_identifier from Admin API."""
+        mock_settings = DbtMcpSettings.model_construct(
+            dbt_host="cloud.getdbt.com",
+            dbt_prod_env_id=123,
+            dbt_account_id=456,
+            dbt_token="test_token",
+        )
+
+        credentials_provider = CredentialsProvider(mock_settings)
+
+        with (
+            patch("dbt_mcp.config.settings.validate_settings"),
+            patch(
+                "dbt_mcp.dbt_admin.client.DbtAdminAPIClient.get_account",
+                new_callable=AsyncMock,
+                return_value={"id": 456, "identifier": "ab123"},
+            ),
+        ):
+            await credentials_provider.get_credentials()
+
+            assert credentials_provider.account_identifier == "ab123"
+
+    @pytest.mark.asyncio
+    async def test_api_failure_does_not_break_credentials(self):
+        """If Admin API call fails, get_credentials still succeeds."""
+        mock_settings = DbtMcpSettings.model_construct(
+            dbt_host="cloud.getdbt.com",
+            dbt_prod_env_id=123,
+            dbt_account_id=456,
+            dbt_token="test_token",
+        )
+
+        credentials_provider = CredentialsProvider(mock_settings)
+
+        with (
+            patch("dbt_mcp.config.settings.validate_settings"),
+            patch(
+                "dbt_mcp.dbt_admin.client.DbtAdminAPIClient.get_account",
+                new_callable=AsyncMock,
+                side_effect=Exception("API error"),
+            ),
+        ):
+            _, token_provider = await credentials_provider.get_credentials()
+
+            assert credentials_provider.account_identifier is None
+            assert token_provider is not None

tests/unit/tracking/test_tracking.py

@@ -55,6 +55,7 @@ async def test_emit_tool_called_event_enabled(self):
         )
 
         mock_credentials_provider = MockCredentialsProvider(mock_settings)
+        mock_credentials_provider.account_identifier = "ab123"
 
         tracker = DefaultUsageTracker(
             credentials_provider=mock_credentials_provider,
@@ -87,6 +88,40 @@ async def test_emit_tool_called_event_enabled(self):
         assert tool_called.dbt_cloud_environment_id_prod == "1"
         assert tool_called.dbt_cloud_user_id == "3"
         assert tool_called.local_user_id == "local-user"
+        assert tool_called.ctx.dbt_cloud_account_identifier == "ab123"
+
+    @pytest.mark.asyncio
+    async def test_emit_tool_called_event_account_identifier_none(self):
+        """When account_identifier is None, dbt_cloud_account_identifier defaults to empty string."""
+        mock_settings = DbtMcpSettings.model_construct(
+            do_not_track=None,
+            send_anonymous_usage_data=None,
+        )
+
+        tracker = DefaultUsageTracker(
+            credentials_provider=MockCredentialsProvider(mock_settings),
+            session_id=uuid.uuid4(),
+        )
+
+        with (
+            patch("dbt_mcp.tracking.tracking.log_proto") as mock_log_proto,
+            patch(
+                "dbt_mcp.tracking.tracking.DefaultUsageTracker._get_local_user_id",
+                return_value="local-user",
+            ),
+        ):
+            await tracker.emit_tool_called_event(
+                tool_called_event=ToolCalledEvent(
+                    tool_name="list_metrics",
+                    arguments={},
+                    start_time_ms=0,
+                    end_time_ms=1,
+                    error_message=None,
+                ),
+            )
+
+        tool_called = mock_log_proto.call_args.args[0]
+        assert tool_called.ctx.dbt_cloud_account_identifier == ""
 
     @pytest.mark.asyncio
     async def test_get_local_user_id_success(self):