rate limiting apis: per-ip or per-user?

hey everyone im wrestling w rate limiting for a new service weve got a mix of anonymous traffic and authenticated users should we focus on limiting based on ip address or try to track and limit per authenticated user what are the trade offs youve seen in practice esp concerning potential abuse and user experience