when should you put rate limiting in place

Hey everyone, I'm planning on building some APIs and starting to get a little worried about potential abuse. When have you guys found it absolutely critical to implement rate limiting? Is it something you guys add right at the beginning, or only once you start actually noticing specific problems? I'm curious to hear about different strategies for different kinds of APIs too, like public ones versus internal ones