Hi,
Burp can scan both web apps and APIs but there are certain differences in scanning them.
The reason why Burp only scanned app-ui domain, is because it is a website with a GUI and Burp goes through a website just like a user would in a browser. Burp Scanner will go through the website, get the session tokens, maintain the sessions, and audit the locations it finds.
Prerequisites:
The specification of the API definition must be OpenAPI version 3.x.x, and based on either JSON or YAML.
The API definition must not contain any external references.
The API definition needs to be hosted and accessible by the scanning machine.
The API definition URL also is required to be included within the site scope of your scan.
Also, if the API uses an auth service such as OAuth 2 with client credentials flow, Burp doesn't have a way to insert the client
id and clientsecret to get new session tokes to scan the authenticated APIs. We do have a Burp extension for that though, which you can find here:
https://github.com/Hannah-PortSwigger/ClientCredentialsOauth.
Normally, if these API calls are part of the web app, Burp will use the session tokens generated by the app to scan these authenticated API calls. If they are not part of the app, it is better to start a new project for each API definition, and use the extension mentioned above to get the session tokens and scan the APIs.
Regards,
Syed