Firstly, thanks a lot @bpit @HuffinPuffin for your well working solution 
Just to let you know :
- it seems that in last Matomo version, the piwik.js was renamed matomo.js. Unfortunately it will popup an Apache Authentication window to any user who just display your website …
- that optOut option uses a new file optOut.js which shouldn’t be blocked by Apache
It changes
<FilesMatch "(^piwik\.(php|js)|robots\.txt)">
by
<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|robots\.txt|optOut.js)">
So here is the conf which work for me
<Files "*">
AuthType Basic
AuthName "Authentication Required"
# to be explicit, state the provider
AuthBasicProvider file
AuthUserFile "/etc/httpd/.htpasswd"
Require valid-user
</Files>
# Allow external access to piwik.php and piwik.js and matomo.js and robots.txt
<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|robots\.txt|optOut.js)">
Require all granted
</FilesMatch>
# Allow Opt-Out
<Files "index.php">
<If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut/)">
Require all granted
</If>
</Files>
I kept the reference to ^piwik\.(php|js) just in case …