rate limiting is it per ip per user or per api key

hey all, been thinking about rate limiting a lot. we did some basic IP-based stuff, but it's pretty clunky. it can unfairly punish people on shared IPs and doesn't really track individual user actions or abuse. how are you guys doing it? mostly per-user limits, per-API key limits, or both? what have you noticed are the pros and cons? just looking for real-world tips and what you've learned.