Rate Limiting for Microservices: Per-IP or Per-User?

Hey everyone, I'm trying to figure out the best way to handle rate limiting in our microservices setup. Traffic spikes are a real problem, and we need to stop abuse and make sure everyone gets a fair shot. Should we limit things by the client's IP address, or would it be better to track and limit by authenticated user IDs? IP-based limits are easier to start with, but they don't really help when you have lots of users behind the same NAT or shared IPs. Tracking by user is more specific, but it definitely makes things more complicated. What have you all found works best? I'm really interested to hear what others have tried successfully.