diff --git a/sample-functions/ApiKeyProtected-Secrets/.gitignore b/sample-functions/ApiKeyProtected-Secrets/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..4e568b8f985c170219d528a06b52f749b942649a
--- /dev/null
+++ b/sample-functions/ApiKeyProtected-Secrets/.gitignore
@@ -0,0 +1,2 @@
+ApiKeyProtected
+
diff --git a/sample-functions/ApiKeyProtected-Secrets/Dockerfile b/sample-functions/ApiKeyProtected-Secrets/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..9b3000a2bc6993380d7b968088b61f4c99dfa9c7
--- /dev/null
+++ b/sample-functions/ApiKeyProtected-Secrets/Dockerfile
@@ -0,0 +1,23 @@
+FROM golang:1.7.5 as builder
+RUN mkdir -p /go/src/app
+COPY handler.go /go/src/app
+WORKDIR /go/src/app
+
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
+
+
+FROM alpine:latest
+
+WORKDIR /root/
+
+EXPOSE 8080
+ENV http_proxy      ""
+ENV https_proxy     ""
+
+ADD https://github.com/alexellis/faas/releases/download/0.6.6d/fwatchdog /usr/bin
+RUN chmod +x /usr/bin/fwatchdog
+
+COPY --from=builder /go/src/app/app    .
+
+ENV fprocess="/root/app"
+CMD ["fwatchdog"]
diff --git a/sample-functions/ApiKeyProtected-Secrets/README.md b/sample-functions/ApiKeyProtected-Secrets/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..57cb284782781bb8014ee8badc7d202106a9d128
--- /dev/null
+++ b/sample-functions/ApiKeyProtected-Secrets/README.md
@@ -0,0 +1,6 @@
+### Api-Key-Protected sample
+
+See the [secure secret management guide](../guide/secure_secret_management.md) for instructions on how to use this function.
+
+When calling via the gateway pass the additional header "X-Api-Key", if it matches the `secret_api_key` value then the function will give access, otherwise access denied.
+
diff --git a/sample-functions/ApiKeyProtected-Secrets/app b/sample-functions/ApiKeyProtected-Secrets/app
new file mode 100755
index 0000000000000000000000000000000000000000..d45bfeeabe4447adae2299fa0991a6ecda553346
Binary files /dev/null and b/sample-functions/ApiKeyProtected-Secrets/app differ
diff --git a/sample-functions/ApiKeyProtected-Secrets/build.sh b/sample-functions/ApiKeyProtected-Secrets/build.sh
new file mode 100755
index 0000000000000000000000000000000000000000..1580de8c8ded8357eb21353e80a2a50f22636133
--- /dev/null
+++ b/sample-functions/ApiKeyProtected-Secrets/build.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo Building functions/api-key-protected:latest
+docker build --no-cache -t functions/api-key-protected:latest .
diff --git a/sample-functions/ApiKeyProtected-Secrets/handler.go b/sample-functions/ApiKeyProtected-Secrets/handler.go
new file mode 100644
index 0000000000000000000000000000000000000000..fa82c030d1c87c26ce340e6c6361f202f2608307
--- /dev/null
+++ b/sample-functions/ApiKeyProtected-Secrets/handler.go
@@ -0,0 +1,31 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"strings"
+)
+
+func handle(body []byte) {
+	key := os.Getenv("Http_X_Api_Key")
+
+	secretBytes, err := ioutil.ReadFile("/run/secrets/secret_api_key")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	secret := strings.TrimSpace(string(secretBytes))
+
+	if key == secret {
+		fmt.Println("Unlocked the function!")
+	} else {
+		fmt.Println("Access denied!")
+	}
+}
+
+func main() {
+	bytes, _ := ioutil.ReadAll(os.Stdin)
+	handle(bytes)
+}
diff --git a/sample-functions/ApiKeyProtected/Dockerfile.build b/sample-functions/ApiKeyProtected/Dockerfile.build
new file mode 100644
index 0000000000000000000000000000000000000000..146ef64f8044268aa72654832fab7d9677858074
--- /dev/null
+++ b/sample-functions/ApiKeyProtected/Dockerfile.build
@@ -0,0 +1,9 @@
+FROM golang:1.7.5
+RUN mkdir -p /go/src/app
+COPY handler.go /go/src/app
+WORKDIR /go/src/app
+
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
+
+CMD ["echo"]
+
diff --git a/sample-functions/ApiKeyProtected/README.md b/sample-functions/ApiKeyProtected/README.md
index 57cb284782781bb8014ee8badc7d202106a9d128..a2a65bb157582f4926df423239e61e3c4e1e1a28 100644
--- a/sample-functions/ApiKeyProtected/README.md
+++ b/sample-functions/ApiKeyProtected/README.md
@@ -1,6 +1,6 @@
 ### Api-Key-Protected sample
 
-See the [secure secret management guide](../guide/secure_secret_management.md) for instructions on how to use this function.
+To use this sample provide an env variable for the container/service in `secret_api_key`.
 
-When calling via the gateway pass the additional header "X-Api-Key", if it matches the `secret_api_key` value then the function will give access, otherwise access denied.
+Then when calling via the gateway pass the additional header "X-Api-Key", if it matches the `secret_api_key` value then the function will give access, otherwise access denied.
 
diff --git a/sample-functions/ApiKeyProtected/build.sh b/sample-functions/ApiKeyProtected/build.sh
new file mode 100755
index 0000000000000000000000000000000000000000..4cc047ef81e68f18b3a34ce9190a71b6cedc60f6
--- /dev/null
+++ b/sample-functions/ApiKeyProtected/build.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+echo Building functions/api-key-protected:build
+
+docker build --build-arg https_proxy=$https_proxy --build-arg http_proxy=$http_proxy \
+    -t functions/api-key-protected . -f Dockerfile.build
+
+docker create --name render_extract functions/api-key-protected
+docker cp render_extract:/go/src/app/app ./app
+docker rm -f render_extract
+
+echo Building functions/api-key-protected:latest
+docker build --no-cache -t functions/api-key-protected:latest .
diff --git a/sample-functions/ApiKeyProtected/handler.go b/sample-functions/ApiKeyProtected/handler.go
index fa82c030d1c87c26ce340e6c6361f202f2608307..7c1f9b3dd0191b92b2a2bad22f8291f4895ba792 100644
--- a/sample-functions/ApiKeyProtected/handler.go
+++ b/sample-functions/ApiKeyProtected/handler.go
@@ -4,21 +4,15 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net/http"
 	"os"
-	"strings"
-)
-
-func handle(body []byte) {
-	key := os.Getenv("Http_X_Api_Key")
-
-	secretBytes, err := ioutil.ReadFile("/run/secrets/secret_api_key")
-	if err != nil {
-		log.Fatal(err)
-	}
 
-	secret := strings.TrimSpace(string(secretBytes))
+	"github.com/openfaas/faas/watchdog/types"
+)
 
-	if key == secret {
+func handle(header http.Header, body []byte) {
+	key := header.Get("X-Api-Key")
+	if key == os.Getenv("secret_api_key") {
 		fmt.Println("Unlocked the function!")
 	} else {
 		fmt.Println("Access denied!")
@@ -27,5 +21,9 @@ func handle(body []byte) {
 
 func main() {
 	bytes, _ := ioutil.ReadAll(os.Stdin)
-	handle(bytes)
+	req, err := types.UnmarshalRequest(bytes)
+	if err != nil {
+		log.Fatal(err)
+	}
+	handle(req.Header, req.Body.Raw)
 }