Hello Bart,
To me it sounds like you’re trying to embed spotify in a page. Going on that assumption, in my opinion what you’re trying to do should be completely front-end. I don’t think end-user credentials for a separate service should be passed through your back-end at all, furthermore if you were making the calls front-end you would be able to use the HTML coming back to build an interface.
Why not build a widget for this?