how do you do rate limiting for a REST API?

hey folks, im looking to implement rate limiting for a public-facing API we're building. we want to prevent abuse and ensure fair usage. ive seen various approaches like token bucket, leaky bucket, and fixed window counters. what have you found to be most effective in practice for REST APIs, and what are the trade-offs? any libraries or tools youd recommend?