When a user exceeds the login attempt limits set in the file includes/defines.inc.php, all login attempts weather they are successful or failed all take the time set forth in the config file. The delay is only reset after the user logs into the web interface, not after a successful api login.
Steps to reproduce:
Login to Zabbix API with bad credentials
Repeat at least 4 more times for a total of greater than 5
Attempt to login using correct credentials (login will be delayed)
Repeat as needed to prove correct login does not reset failed login count
Log into web interface using correct credentials
Log into Zabbix API using correct credentials (no more delay)