Rate Limiting: Should it be per user or per IP address?

hey all im wrestling with implementing rate limiting for a new api weve got a lot of users behind shared ips like corporate networks or mobile carriers and simply limiting by ip might hit legitimate users too hard but tracking and limiting per user adds complexity especially with anonymous users whats your experiences when have you found it best to go with per user limits per ip limits or maybe a hybrid approach whats the trade offs youve encountered