Rate Limiting: Per User or Per IP?

Hey everyone, I'm trying to figure out the best way to set up rate limiting for a new API. I'm stuck between limiting by API key (so, per user) or by source IP address. Both have their good and bad points. Limiting by user seems better for tracking how much each person is using the API, but then you run into issues with shared IPs, you know, like in an office or with CGNAT. Limiting by IP is easier to do right at the edge, but it might mess things up for several people sharing that one IP. I'm really interested to hear what you guys have done and what methods have worked best for you. How do you balance keeping things secure with making sure it's not a pain for users? What's your usual approach?