how do u manage api rate limiting effectively

So, I've been chewing on API rate limiting lately. You know, we need to stop abuse and make sure everyone gets a fair shake, right? But I've seen setups that are just too darn strict, bugging legit users, or the opposite, way too loose and don't really stop much. What are you guys using that actually works? Token buckets, leaky buckets, fixed windows, or what? I'm super curious about what you've tried and what's proven itself in the real world.