rate limiting strategies for api gateways? like, what are some good ways to do it?

Hey everyone, I'm looking for some ideas about rate limiting at the API Gateway. We're dealing with a lot of abuse, and honestly, our current method (just blocking by IP) isn't really working anymore. Are you using token bucket, leaky bucket, fixed window, sliding window, or something different? How do you set up different limits for different user levels or API endpoints? I'm really curious to hear what works for you and what problems you've run into.