# atmos secret validate

Validate that every **required** declared secret for a stack and component is initialized in its configured backend. The command exits `0` when all required secrets are present and exits non-zero (`1`) when any required secret is missing, making it well suited for CI pipelines and pre-deployment gates.

## Usage

```shell
atmos secret validate [flags]
```

## Examples

```shell
# Validate that all required secrets are initialized
atmos secret validate --stack=prod --component=api

# Disambiguate a component that exists in multiple types
atmos secret validate --stack=prod --component=api --type=terraform

# Validate using a specific identity for the backend
atmos secret validate --stack=prod --component=api --identity=aws/prod-secrets

# Use the non-zero exit code as a CI gate
atmos secret validate --stack=prod --component=api && echo "all secrets present"
```

## Arguments

- **n/a**
  No positional arguments.

## Flags

- **`--stack` (alias `-s`)**

  The Atmos stack to operate on. **Required.**

  **Environment variable:** `ATMOS_STACK`
- **`--component` (alias `-c`)**

  The Atmos component whose required secrets are validated. **Required.**

  **Environment variable:** `ATMOS_COMPONENT`
- **`--type`**

  The component type (`terraform`, `helmfile`, `packer`, or `ansible`). Used to disambiguate when a component name exists in more than one type.
- **`--identity` (alias `-i`)**

  The identity to use when accessing the secret backend.

  **Environment variable:** `ATMOS_IDENTITY`

:::note Exit codes
`validate` exits `0` when every required secret is initialized and exits `1` when one or more required secrets are missing. Optional (non-required) secrets do not affect the exit code.
:::

## See Also

- [atmos secret](/cli/commands/secret/usage) — Overview of the secret command group
- [`!secret` YAML function](/functions/yaml/secret) — Resolve declared secrets at runtime