Are API limits tied to application key or user token?

Are the specified API request limits (36k per hour, 100 per second) tied to the users token, or is it tied to the application key? From the wording of the docs it sounds like it would be tied to the application key, but I am not completely sure.

Limits are applied per application.