In Toast's transaction logs, you will find a request such as:
INFO 2019-07-26T19:36:14.637Z cards<294> "dw-76 - POST /loyalty/inquiry"
[Punchh2Client] POST https://api.punchh.com/api/pos/redemptions/possible
[Punchh2Client] {"location_key":"cd789643eebd41a26aca8049b7cacafb8218","email":"test@test.com","receipt_amount":11.99,"subtotal_amount":11.99,"payable":12.75,"receipt_datetime":"2019-07-26T19:36:14.637Z","menu_items":[{"item_name":"Avocado Toast","item_qty":1,"item_amount":11.99,"menu_item_type":"M","menu_item_id":"16206dca-81ef-417b-ae95-cd3c636537db","menu_family":"food","menu_major_group":"(Dine In) Tartines"}],"discount_type":"reward","redeemed_points":0.0,"reward_id":"678729177","pos_version":"2.0","pos_type":"TOAST"}
In the above request, the "location_key" is the complete unmasked Punchh API key for this specific location. (For the sake of this documentation and for security, the above API key has been altered)