rate limiting: are you protecting your apis effectively

so lately ive been thinking about how we do rate limiting. its a big deal for api security and stability, but there are tons of ways to go about it. are you guys using token bucket, leaky bucket, or something else? whats your usual approach for setting limits like per user, per ip, or per api key? any weird stuff or problems youve hit when setting it up or scaling it? im curious to hear what works for people