Try this code in your DocumentRoot/.htaccess
:
DirectoryIndex index.php
Options +FollowSymlinks -MultiViews
RewriteEngine On
RewriteBase /api/
# Protect application and system files from being viewed
RewriteRule ^(?:application|modules|system)\b /index.php/$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$0 [L]
RewriteCond %{HTTP:Authorization} ^Basic.*
RewriteRule ^ index.php?Authorization=%{HTTP:Authorization} [L]