Ports addresses for web vs api access

I want to Thank Lauri again for yesterdays marathon Q&A session, most appreciated..... Here is my next challenge or confusion.....

When you set up wekan it needs to know a url as a root web entity. The entity could be arbitrary or could be a subdomain we aready own. Is that correct?That entity can have a port address. Whether I use one of three three methods of ssl or non-ssl proxy or just use an aws load balancer with ssl certificate, I get an address redirect from the outside world to the server serving the graphics of the wekan kanban board. Confirming those are correct assumptions.

Is the api I will use internally from another server on the same VPC not exposed to the outside world using the same port address? Should it? Is there a way to make it use a different port address so I do not have to expose the api to the outside world? If so what is best practice here?

Again the use case is that wekan provides a login to the outside world and the permission of that user login determines what they see and what they can do with what they see per swimlane, board, card, list etc. Those users and cards are populated by the api privately. The user interacts with wekan and the program populating through the api can monitor through the api any responses. The users of the populating app are a different group of users than the users accessing wekan directly through the web interface.

Please lmk if I am thinking about this completely wrong or assuming controls not in place or am worrying about security that is not an issue. If the api is the same port address as the web interface I assume the authentication token would protect or separate one from the other. Am I on the right track? If not, do I, can I should I set the api to a different port address and block that access at the VPC level?

Sorry for the book. Thank you again for a great program and even better answers :)