diff --git a/app/controllers/admin/subscriptions_controller.rb b/app/controllers/admin/subscriptions_controller.rb
index da99409469..4e6c65018a 100644
--- a/app/controllers/admin/subscriptions_controller.rb
+++ b/app/controllers/admin/subscriptions_controller.rb
@@ -65,7 +65,7 @@ module Admin
     private
 
     def save_form_and_render(render_issues = true)
-      form = SubscriptionForm.new(@subscription, params[:subscription])
+      form = SubscriptionForm.new(@subscription, subscription_params)
       unless form.save
         render json: { errors: form.json_errors }, status: :unprocessable_entity
         return
@@ -149,11 +149,25 @@ module Admin
     # Overriding Spree method to load data from params here so that
     # we can authorise #create using an object with required attributes
     def build_resource
-      Subscription.new(params[:subscription])
+      Subscription.new(subscription_params)
     end
 
     def ams_prefix_whitelist
       [:index]
     end
+
+    def subscription_params
+      return params[:subscription] if params[:subscription].empty?
+
+      params.require(:subscription).permit(
+        :shop_id, :schedule_id, :customer_id,
+        :payment_method_id, :shipping_method_id,
+        :begins_at, :ends_at,
+        :canceled_at, :paused_at,
+        :subscription_line_items_attributes => [:id, :quantity, :variant_id],
+        :bill_address_attributes => permitted_address_attributes,
+        :ship_address_attributes => permitted_address_attributes
+      )
+    end
   end
 end
diff --git a/app/services/subscription_form.rb b/app/services/subscription_form.rb
index da82063b5c..0458467fb5 100644
--- a/app/services/subscription_form.rb
+++ b/app/services/subscription_form.rb
@@ -1,21 +1,21 @@
 require 'open_food_network/proxy_order_syncer'
 
 class SubscriptionForm
-  attr_accessor :subscription, :params, :order_update_issues, :validator, :order_syncer, :estimator
+  attr_accessor :subscription, :subscription_params, :order_update_issues, :validator, :order_syncer, :estimator
 
   delegate :json_errors, :valid?, to: :validator
   delegate :order_update_issues, to: :order_syncer
 
-  def initialize(subscription, params = {})
+  def initialize(subscription, subscription_params = {})
     @subscription = subscription
-    @params = params
+    @subscription_params = subscription_params
     @estimator = SubscriptionEstimator.new(subscription)
     @validator = SubscriptionValidator.new(subscription)
     @order_syncer = OrderSyncer.new(subscription)
   end
 
   def save
-    subscription.assign_attributes(params)
+    subscription.assign_attributes(subscription_params)
     return false unless valid?
 
     subscription.transaction do