Should we do rate limiting by IP address or by user ID

hey everyone, thinking about implementing rate limiting on a new service. im torn between applying limits based on the client's IP address versus their authenticated user ID. IP-based is simpler to implement initially, but a single user could hit limits if they're behind a NAT or using a shared proxy. User ID-based is more granular and fair to individual users, but requires authentication to be in place first and might be harder to track abuse from anonymous sources. Whats your experience? Which approach do you prefer and why?