htpasswd exception for controller

I’m wondering if anyone’s using .htpasswd for basic site security for a staging site that’s in review (where we’re testing front-end registrations so we don’t want to force control panel logins, either), with an exception opened up for controllers that serve as webhooks for a third-party service to call. (Specifically, in this case, our forms push data to Salesforce via its API, and then Salesforce needs to be able to talk back to our server.)

From what I can tell, the following should be working, matching on a substring in the querystring on the controller URL, which looks like this:

https://mydevsitedomain.com/index.php?p=actions/namespace/controller/method&recordId=123

SetEnvIfExpr "%{QUERY_STRING} =~ /namespace/" api

AuthType Basic
AuthName "Staging"
AuthUserFile /storage/av#####/.htpasswd

Order allow,deny
Require valid-user
Allow from env=api
Deny from env=!api
Satisfy any

Where I left off: Basic authentication is working fine for other parts of the site. The exception URL seems to be in a redirect loop I can’t solve for, continually popping up an authentication modal that I haven’t submitted credentials via, because I’m trying to test for the exception to be allowed.

I’m about to give up and just redirect the homepage if I don’t have a logged-in user, though I really prefer to safeguard against any unwanted eyes (or indexing bots) hitting the sites. If anyone’s solved for this before, it’d be worth documenting!