how to limit user api access, you know, so they don't overload things

Hey everyone, I've been thinking a lot about API rate limiting lately. Our traffic is really growing, and we need to make sure everyone gets a fair shot and nobody abuses the system, but we also don't want to annoy the good guys. What are your favorite ways to handle this? Are you using token buckets, leaky buckets, fixed windows, or maybe something different? And how do you deal with distributed systems, making sure everything stays consistent across all our API instances? I'd love to hear what's worked for you in the real world and what to watch out for.