How to use SetEnvIf with Request_URI when it is rewritten to index.php?

Question

We have a drupal website a.com that is password protected. I want all a.com/api/... URIs not to be, though. So I've read about SetEnvIf:

AuthName "Stage"
AuthType Basic
AuthUserFile ~/.htpasswd
SetEnvIf Request_URI ".*data_sheets.*\.pdf" noauth
SetEnvIf Request_URI "/api/.+" noauth
SetEnvIfNoCase Request_Method OPTIONS noauth
Order Deny,Allow
Deny from all
Require valid-user
Allow from env=noauth
Satisfy Any

The /api/foobar URIs are still asking for a password though. Since it's a Drupal website, with the help of anubhava we figured it has to do with how the request is handled by index.php.

How to deal with that?

Edit

Adding

RewriteCond %{REQUEST_URI} ^/api/ [NC]
RewriteRule ^ - [E=noauth]

right after

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]

didnt help

Answer 1

This works for me:

AuthName "Stage"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
SetEnvIf Request_URI ".*data_sheets.*\.pdf" noauth
SetEnvIf Request_URI "/api/.+" noauth
SetEnvIfNoCase Request_Method OPTIONS noauth

RewriteEngine On
RewriteCond %{THE_REQUEST} \s/api/
RewriteRule ^ - [E=noauth:1]

Order Deny,Allow
Deny from all
Require valid-user
Allow from env=noauth
Allow from env=rewritten
Satisfy Any

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ /index.html [L]