Rate limiter: per IP, or per user ID? We should decide that.

hey everyone, i'm trying to figure out the best way to set up a rate limiter for our new service. what do you think is the way to go? should we mainly limit by client IP address, or is it better to use a unique User ID after they log in? i know IP limiting can be a pain with things like NAT and shared IPs, but limiting by User ID could be a problem if someone hijacks an account or uses stolen credentials, you know? what have you all found works well? any favorite methods for keeping things secure without annoying users?