Ah, I see. Once you enable the api.basicAuth option, Kirby will use the Authorization header also to authenticate the human user. Because the “human” credentials are not known to Kirby, every request by the human user counts as an invalid authentication attempt, which increments the trials in the .logins file (brute-force protection).
So you need to configure Apache to pass the Authorization header to Kirby only if it’s the API user. Otherwise the header should be dropped so that the human user can authenticate via a session cookie as normal. Alternatively you can create a Kirby user for the “human” credentials from .htpasswd. This would have the advantage that the user is automatically logged in, but the disadvantages that you need to mirror the config and that authenticated Kirby responses are a bit slower because the password hash needs to be checked on every single request.