api rate limiting: per user or per ip

hey everyone, been thinking about api rate limiting lately. we're seeing some increased traffic and want to implement limits to protect our service. the question is, whats generally preferred: limiting based on the api key/user id or based on the clients ip address? each has its pros and cons (e.g., shared ips vs. users hitting multiple services). what strategies have you found most effective in practice? curious to hear your thoughts and experiences.