rate limiting, should it be per user, per IP address, or maybe both

hey everyone, ive been thinking a lot about rate limiting lately. we need to protect our apis from abuse and ensure fair usage. my main question is about the granularity. when is it best to limit by user (if authenticated), by ip address, or perhaps a combination of both? what are your go-to strategies for implementing effective rate limiting without overly frustrating legit users?