Spotify, like most legit streaming services, use Google Widevine DRM, and you don't reverse engineer it. At least not for the level that is required for this kind of content (L3). When you stream something in browser or device, the decryption module of that device is "talking" to the license server. If the identification goes through, the decryption keys are sent and the media gets played. So what you do is you extract that decryption module from a device, and then use scripts to send requests acting as that device, tricking the license server into sending you the decryption keys.
Once set up, and with the proper script, it can actually be even more efficient than other forms of piracy.