Rate limiting, how do you do it right?

I've been thinking about rate limiting lately. It's super important for protecting services from abuse and making sure everyone gets a fair shot, but getting it right can be a real pain. I've come across a few ways to do it, like token buckets and leaky buckets, and some systems use things like Redis. What do you usually do for rate limiting, especially with microservices? Anything I should watch out for?