how do u do rate limiting for apis without killing performance

hey everyone, im tryin to figure out the best way to implement rate limiting for our public apis. we want to protect against abuse, but im worried about adding too much overhead. are you using a dedicated service, doing it at the api gateway, or implementing it within the services themselves? what are your experiences with different strategies, especially regarding performance impact and ease of management?